Advances in Computers, Volume 38

Advances in COMPUTERS VOLUME 38 Advances in COMPUTERS VOLUME 38 Contributors to This Volume B . CHANDRASEKARAN JO...

Author: Yovits | M. C.

34 downloads 1074 Views 17MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

Advances

in COMPUTERS VOLUME 38

Advances

in COMPUTERS VOLUME 38

Contributors to This Volume

B . CHANDRASEKARAN JOSE A. B. FORTES KUMARN. GANAPATHY JOHN M. LONG ABBEMOWSHOWITZ GUNTHERPERNUL WEIM SHANG W. WAH BENJAMIN

Advances in

COMPUTERS EDITED BY

MARSHALL C . YOVITS Purdue School of Science Indiana University-Purdue University at Indianapolis Indianapolis, Indiana

VOLUME 38

ACADEMIC PRESS Boston San Diego New York London Sydney Tokyo Toronto

This book is printed on acid-free paper.

@

Copyright 0 1994 by Academic Press, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission in writing from the publisher.

ACADEMIC PRESS, INC. A Division of Harcourt Brace & Company 525 B Street, Suite 1900, San Diego, CA 92101-4495

United Kingdom Edition published by ACADEMIC PRESS LIMITED 24-28 Oval Road. London NWl 7DX

Library of Congress Catalog Card Number: 59-15761 International Standard Serial Number: 0065-2458 International Standard Book Number: 0-12-012138-7 Printed in the United States of America 94959691

BC

9 8 7 6 5 4 3 2 1

Contents CONTRIBUTORS . . PREFACE. . . .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. . . . . . . . . . . . . .

vii ix

Database Security Gunther Pernul

1. 2. 3. 4. 5. 6. 7.

Introduction . . . . . . . . . . . Database Security Models . . . . . . . Multilevel Secure Prototypes and Systems . . Conceptual Data Model for Multilevel Security . Standardization and Evaluation Efforts . . . Future Directions in Database Security Research Conclusions . . . . . . . . . . . References . . . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

1 8 38 45 62 65 68 69

. . . . . . . .

. . . . . . . .

73 76 80 84 131 133 138 138

. . . . World of

.

145

Functional Representation and Causal Processes B. Chandrasekaran

1 . Introduction . . . . . 2 . Human Reasoning about the 3. Historical Background . . 4 . Functional Representation . 5 . Related Work . . . . 6 . Concluding Remarks . . Acknowledgments . . . References . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

Physical World

. . . . . . . .

. . . . . . . .

. . . . . . . .

Computer-Based Medical Systems John M. Long

1. Overview . . . . . . . . . . . . 2 . Automation and the Healing Arts: The Changing Medicine in the Information Age . . . . . 3. Special Issues in Medical Computing . . . . 4 . A Review of Computer-Based Medical Systems . 5 . Artificial Intelligence in Medicine . . . . . 6 . Concluding Remarks . . . . . . . . References . . . . . . . . . . .

v

. . . . . 147 .

.

.

.

.

158

. . . . . 161 . . . . . 165 . . . . . 177 . . . . . 180

vi

CONTENTS

Algorithm-Specific Parallel Processing with Linear Processing Arrays

. .

.

Jose A B Fortes. Benjamin W Wah. Weijia Shang. and Kumar N. Ganapathy

1 . Introduction . . . . . . . . . . . . . . 2 . The Mapping Problem . . . . . . . . . . . 3 . Computation-Conflict-Free Mappings . . . . . . 4 . Time-Optimal Mappings without Computational Conflicts 5 . Parameter-Based Methods . . . . . . . . . . 6. Applications of the General Parameter Method . . . . 7 . Conclusions . . . . . . . . . . . . . . References . . . . . . . . . . . . . .

. . 198 . . 204 . . 207 . . 211 . . 217 . . 230 . . 241 . . 243

Information as a Commodity: Assessment of Market Value Abbe Mowshowitz

1. Introduction . . . . . . . 2. The Information Marketplace . . 3 . What Is Information? . . . . 4. Information Commodities . . . 5 . Making Information Commodities 6. Toward an Inventory of Information 7 . Using Information Commodities . 8. Competition and Regulation . . 9 . Conclusion . . . . . . . Acknowledgments . . . . . Endnotes . . . . . . . . References . . . . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . . Commodities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

248 249 252 261 267 286 291 301 310 310 310 312

AUTHORINDEX .

. . . . . . . . . . . . . . . 317

SUBJECT INDEX .

. . . . . . . . . . . . . . . 329

CONTENTS OF VOLUMESIN THISSERIES .

. . . . . . . . 335

Contributors Numbers in parentheses refer to the pages on which the authors’ contributions begin.

B. Chandrasekaran (73) Laboratory for AI Research, The Ohio State University, Columbus, Ohio 43210 Jose A. B. Fortes (1 98) School of Electrical Engineering, Purdue University, West Lafayette, Indiana 47907 Kumar N . Ganapathy (1 98) Coordinated Science Laboratory, University of Illinois, Urbana, Illinois 61801 John M. Long (146) 2676 Manson Pike, Murfreesboro, Tennessee 37129 Abbe Mowshowitz (248) Department of Computer Science, The City College (CUNY), New York, New York 10031 Giinther Pernul(1) Institute of Applied Computer Science, Department of Information Engineering, University of Vienna, A-1010 Vienna, Austria Weijia Shang (198) Department of Computer Engineering, Santa Clara University, Santa Clara, California 95053 Benjamin W. Wah (198) Coordinated Science Laboratory, University of Illinois, Urbana, Illinois 61801

vii

This Page Intentionally Left Blank

Preface The publication of Volume 38 of Advances in Computers continues the in-depth presentation of subjects of both current and continuing interest in computer and information science. Contributions have been solicited from highly respected experts in their fields who recognize the importance of writing substantial review and tutorial articles in their areas of expertise. Advances in Computers permits the publication of survey-type articles written from a relatively leisurely perspective. By virtue of the length of the chapters included, authors are able to treat their subjects both in depth and in breadth. The Advances in Computers series began in 1960 and now continues in its 35th year with this volume. During this period, in which we have witnessed great expansion and dynamic change in the computer and information fields, the series has played an important role in the development of computers and their applications. The continuation of the series over this lengthy period is a tribute to the reputations and capabilities of the authors who have contributed to it. Included in Volume 38 are chapters on database security, caufial processes, computer-based medical systems, parallel processing with linear arrays, and information treated as a commodity. In the first chapter, Giinther Pernul points out that the general concept of database security is very broad and embraces such areas as the moral and ethical issues imposed by public and society, legal issues in which laws are passed regulating the collection and disclosure of stored information, and more technical issues such as ways of protecting stored information from loss or unauthorized access, destruction, use, modification, or disclosure. He proposes models and techniques that provide a conceptual framework in the effort to counter the possible threats to database security. Emphasis is given to techniques primarily intended to assure a certain degree of confidentiality, integrity, and availability of the data. Privacy and related legal issues of database security are also discussed. In the second chapter, B. Chandrasekaran states that cognitive agents that are organized to achieve goals in the world have three fundamental activities to perform, namely, making sense of the world, planning actions to achieve goals, and predicting consequences. He reviews over a decade of work on device understanding from a functional perspective. He believes that research on causal and functional representations is just beginning. In his chapter he describes a research agenda for the immediate future, discusses the logic of “understanding,” and also discusses the phenomena of “reasoning.”

ix

X

PREFACE

In Chapter 3, John Long indicates that the notion of computer-based medical systems embraces the full range of computer systems-both hardware and software-that are designed and built for use in a medical environment. These include embedded computers (hardware and software) found in medical devices. He shows that many of the areas of medicine are changing due to the impact of computers. Computer-based medical systems are revolutionizing medicine and moving it into the information age. The pace is deliberate as is appropriate for an area that deals with human health. The potential for great benefits exists and many have already been accomplished. By the same token, the changes being brought about because of computers create new problems and exacerbate existing ones. In the next chapter Fortes, Wah, Shang, and Ganapathy point out that applications of digital signal processing, scientific computing, digital communications, and control are characterized by repeated execution of a small number of computationally intensive operations. In order to meet performance requirements it is often necessary to dedicate hardware with parallel processing capabilities to these specialized operations. Processor arrays, due to their structural regularity and consequent suitability for VLSI implementation, are frequently used for this purpose. They then show that algorithm-specific parallel processing with linear processor arrays can be systematically achieved with the help of the techniques discussed. In particular, they are ideally suited to the algorithms described as affine recurrences or loop nests. Abbe Mowshowitz in the final chapter considers that the evolution of the marketplace for information appears to be governed by impulses stemming from the displacement of information, knowledge, or skill from persons to artifacts. This process of displacement is an extension of the commoditization of labor, a process that began in earnest with the industrial revolution. The information commodity is to contemporary organizations what the labor commodity was to the pre-industrial workshop-a vehicle for the radical reorganization of production. Triggered by advances in computers and telecommunications, he believes that this displacement process is gaining momentum with the integration of these technologies. Computerbased communications networks will soon reach virtually every organization and person in the industrialized world. Such networks will stimulate an explosive growth in the production and use of information commodities, and support a global marketplace of gigantic proportions. I am pleased to thank the contributors to this volume. They have given extensively to make this book an important and timely contribution to their profession. Despite the considerable time and effort required, they have recognized the importance of writing substantial review and tutorial contributions in their areas of expertise; their cooperation and assistance

PREFACE

xi

are greatly appreciated. Because of their efforts, this volume achieves a high level of excellence and should be of great value and substantial interest for many years to come. It has been a pleasant and rewarding experience for me to edit this volume and to work with the authors.

MARSHALL c. YOVITS


t GUNTHER PERNUL Institute of Applied Computer Science Department of Information Engineering University of Vienna

1. Introduction

2.

3.

4.

5. 6. 7.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1

I .1 The Relational Data Model Revisited . . . . . . . . . . . . . . . . . 1.2 The Vocabulary of Security and Major Database Security Threats . . . . . Database Security Models . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Discretionary Security Models . . . . . . . . . . . . . . . . . . . . . 2.2 Mandatory Security Models . . . . . . . . . . . . . . . . . . . . . . 2.3 The Adapted Mandatory Access Control Model . . . . . . . . . . . . . 2.4 The Personal Knowledge Approach . . . . . . . . . . . . . . . . . . 2.5 The Clark and Wilson Model . . . . . . . . . . . . . . . . . . . . . 2.6 A Final Note on Database Security Models . . . . . . . . . . . . . . . Multilevel Secure Prototypes and Systems . . . . . . . . . . . . . . . . . . 3.1 SeaView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Lock Data Views . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 ASD-Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conceptual Data Model for Multilevel Security . . . . . . . . . . . . . . . 4.1 Concepts of Security Semantics . . . . . . . . . . . . . . . . . . . . 4.2 Classification Constraints . . . . . . . . . . . . . . . . . . . . . . . 4.3 Consistency and Conflict Management . . . . . . . . . . . . . . . . . 4.4 Modeling the Example Application . . . . . . . . . . . . . . . . . . Standardization and Evaluation Efforts . . . . . . . . . . . . . . . . . . . Future Directions in Database Security Research . . . . . . . . . . . . . . . Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 6 8 9 11 19 33 35 37 38 39 41 43 45 47 50 57 58 62 65 68 69

1 . Introduction Information stored in databases is often considered a valuable and important corporate resource . Many organizations have become so dependent on the proper functioning of their systems that a disruption of service or a leakage of stored information may cause outcomes ranging from inconvenience to catastrophe . Corporate data may relate to financial records; may be essential to the successful operation of an organization. may represent trade secrets. or may describe information about persons whose privacy must be protected . Thus. the general concept of database ADVANCES IN COMPUTERS. VOL . 38

1

.

Copyright 0 1994 by Academic Press Inc. All rights of reproduction in any farm reserved. ISBN 0-12-012138-7

2

GUNTHER PERNUL

security is very broad and embraces such areas as the moral and ethical issues imposed by public and society and legal issues in which laws are passed regulating the collection and disclosure of stored information, or more technical issues such as ways of protecting stored information from loss or unauthorized access, destruction, use, modification, or disclosure. More generally, database security is concerned with ensuring the secrecy, integrity, and availability of data stored in a database. To define our terms, secrecy denotes the protection of information from unauthorized disclosure either by direct retrieval or indirect logical inference. In addition, secrecy must deal with the possibility that information may also be disclosed by legitimate users acting as an “information channel” by passing secret information to unauthorized users. This may be done intentionally or without the knowledge of the authorized user. By integrity we understand the need to protect data from malicious or accidental modification, including insertion of false data, contamination of data, and destruction of data. Integrity constraints are rules that define the correct states of a database and thus can protect the correctness of the database during operation. By Availability we understand the characteristic according to which we may be certain that data are available to authorized users when they need them. Availability includes the “denial of service” of a system, as occurs when a system is not functioning in accordance with its intended purpose. Availability is closely related to integrity because “denial of service” may be caused by unauthorized destruction, modification, or delay of service as well. Database security cannot be seen as an isolated problem as it is influenced by the other components of a computerized system. The security requirements of a system are specified by means of a security policy that is then enforced by various security mechanisms. For databases, the security requirements can be classified in the following categories: 0

0

Identification, Authentication. Usually, before gaining access to a database, each user has to identify himself to the computer system. Authentication is a way of verifying the identity of a user at log-on time. Most of the common authentication methods are passwords but more advanced techniques like badge readers, biometric recognition techniques, or signature analysis devices are also available. Authorization, Access Controls. Authorization consists in the specification of a set of rules that declare who has a particular type of access to a particular type of information. Authorization policies, therefore, govern the disclosure and modification of information. Access controls are procedures that are designed to control authorization by limiting access to stored data to authorized users only.

DATABASE SECURITY

0

0

3

Integrity, Consistency. An integrity policy gives a set of rules (i.e., semantic integrity constraints) that define the correct states of the database during database operation and, therefore, can protect against malicious or accidental modification of information. Closely related issues are concurrency control and recovery. Concurrency control policies protect the integrity of the database in the presence of concurrent transactions. If these transactions do not terminate normally due to system crashes or security violations, recovery techniques may be used to reconstruct correct or valid database states. Auditing. The requirement to keep records of all security-relevant actions issued by a user is called auditing. The resulting audit records are the basis for further reviews and examinations in order to test the adequacy of system controls and to recommend changes in a security policy.

In this chapter our approach will not involve this type of broad perspective of database security. Instead, the main focus will be on aspects of authorization and access controls. This is a legitimate concern, since identification, authentication, and auditing’ normally fall within the scope of the underlying operating system and integrity and consistency policies are subject to the closely related topic of “semantic data modeling” or are dependent on the physical design of the database management system (DBMS) software, namely, the transaction and recovery manager. Because most research in database security has concentrated on the relational data model, the discussion in this chapter will focus on the framework of relational databases. However, the results described may generally be applicable to other database models as well. For an overall discussion on basic database security concepts consult the surveys by Jajodia and Sandhu (1990a), Lunt and Fernandez (1990), and Denning (1988). For references to further readings consult the annotated bibliography compiled by Pernul and Luef (1992). In the remainder of the opening section we briefly review the relational data model, introducing a simple example that will be used throughout the chapter, present the basic terminology used in computer security, and describe the most successful methods of penetrating a database. Because of the diversity of application domains for databases different security models and techniques have been proposed so far. In Section 2 we review, evaluate, and compare the most prominent examples of these security models and techniques. Section 3 contains an investigation of secure (trusted) database management systems. By a secure DBMS we understand special-purpose

’ However, audit records are often stored and examined by using DBMS software.

4

GUNTHER PERNUL

systems that support a level-based security policy and are designed and implemented with the main focus on the enforcement of high security requirements. Section 4 focuses on one of the major problems of levelbased security-related database research. In this section we address the problem of classifying the data stored in a database so that the security classifications reflect the security requirements of the application domain proper. What is necessary here is to have a clear understanding of all the security semantics of the database application and an appropriate clever database design. A semantic data/security model is proposed in order to arrive at a conceptualization and clear understanding of the security semantics of the database application. Database security (and computer security in general) is subject to many national and international standardization efforts. These efforts are aimed at developing metrics for evaluating the degree of trust that can be placed in the computer products used in the processing of sensitive information. In Section 5 we briefly review these proposals. In Section 6 we point out research challenges in database security and attempt to forecast the direction of the field over the next few years. Section 7 concludes the chapter.

1.1

The Relational Data Model Revisited

The relational data model was invented by Codd (1970) and is described in most database textbooks. A relational database supports the relational data model and must have three basic components: a set of relations, a set of integrity rules, and a set of relational operators. Each relation consists of a state-invariant relational schema RS(A 1 , '...,A,,), where each Ai is called an attribute and is defined over a domain dom(Ai).A relation R is a state-dependent instance of RS and consists of a set of distinct tuples of the form ( a l ,...,a,,), where each element ai must satisfy dom(Ai) (i.e., ai E dom(Ai)). Integrity constraints restrict the set of theoretically possible tuples (i.e., dom(A,) x dom(A2)x x dom(A,,))to the set of practically meaningful tuples. Let X and Y denote sets of one or more of the attributes Ai in a relational schema. We say Y is functionally dependent on X , written X + Y,if and only if it is not possible to have two tuples with the same value for X but different values for Y.Functional dependencies represent the basis of most integrity constraints in the relational model of data. Since not all possible relations are meaningful in an application, only those that satisfy certain integrity constraints are considered. From the large set of proposed integrity constraints two are of major relevance for security: the key property and the referential integrity property. The key property states

DATABASE SECURITY

5

that each tuple must be uniquely identified by a key and a key attribute must not have the null value. Consequently, each real-world event can be represented in the database only once. Referential integrity states that tuples referenced in one relation must exist in others and is expressed by means of foreign keys. These two rules are application-independent and must be valid in each relational database. In addition, many application-dependent semantic constraints may exist in different databases. Virtual-view relations (or views) are distinguished from base relations. While the former are the result of relational operations and exist only virtually, the latter are actually present in the database and hold the stored data. Relational operations consist of the set operations, a select operation for selecting tuples from relations that satisfy a certain predicate, a project operation for projecting a relation onto a subset of its attributes, and a join operation for combining attributes and tuples from different relations. The relational data model was first implemented as System R by IBM and as INGRES at U. C. Berkeley. The two projects provided the principal impetus for the field of database security research and also considerably advanced the field as well as forming the basis of most commercially available products. A few words on the design of a database are in order. The design of a relational database is a complicated and difficult task and involves several phases and activities. Before the final relation schemas can be determined a careful requirements analysis and conceptualization of the database is necessary. Usually this is done using a conceptual data model powerful enough to allow the modeling of all application-relevant knowledge. The conceptual model is used as an intermediate representation of the database and ultimately transferred into corresponding relation schemas. It is very important to use a conceptual data model at this stage since it is only with such a high-level data model that a database can be created that properly represents all the application-dependent data semantics. The de facto standard for conceptual design is the Entity Relationship (ER) approach (Chen, 1976) or any one of its variants. In its graphical representation and in simplest form ER regards the world as consisting of a set of entity types (boxes), attributes (connected to the boxes), and relationship types (diamonds). Relationship types are defined between entity types and are either of degree ( l : l ) , ( l : n ) , or ( n : m ) . The degree describes the maximum number of participating entities. Following is a short example of a relational database. This example will be used throughout the chapter. It is a very simple example yet sufficiently complex for presenting many of the security-relevant questions and demonstrating the complexity of the field. Figure 1 contains a conceptualization of the database in the form of an ER diagram and corresponding

6

GUNTHER PERNUL

(m, (m,

Employee Name, Dep. Salary) Project Subject. Client) Assignment (-N, Date, Function)

FIG. 1. Representations of a sample database.

relational schemas (key attributes are underlined, foreign keys are in italics). The database represents the fact that projects within an enterprise are carried out by employees. In this simple example there are three security objects. First, Employee represents a set of employees each of which is uniquely described by a characteristic SSN (Social Security Number). Next are Name (of employee), Department (in which the employee is working), and Salary (of employee). Second, Project refers to a set of projects carried out by the enterprise. Each project has an identifying Title, Subject, and Client. Finally, the security object Assignment contains the assignments of employees to projects. Each Assignment is characterized by the Date of the Assignment and the Function the employee has to perform while participating in the project. A single employee can be assigned to more than one project and a project may be carried out by more than one employee.

1.2 The Vocabulary of Security and Major Database Security Threats Before presenting the details of database security research it is necessary to define the terminology used and the potential threats to database security. As we have already pointed out, security requirements are stated by means of a security policy which consists of a set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. In general, a security policy is stated in terms of a set of security objects and a set of security subjects. A security object is a passive entity that contains or receives information. It might be a structured concept like an entire database, a relation, a view, a tuple, an attribute, an attribute value, or even a real-world fact represented in the database.

DATABASE SECURITY

7

A security object might also be unstructured, such as a physical memory segment, a byte, a bit, or even a physical device like a printer or a processor. Please note that the term “object” is used differently in other areas of computer science. In the present context, security objects are the target of protection. A security subject is an active entity, often in the form of a person (user) or process operating on behalf of a user. Security subjects are responsible for making changes in a database state and causing information to flow within different objects and subjects. Most of the sources of threats to database security come from outside the computing system. If the emphasis is mainly on authorization, users and processes operating on behalf of users must be subject to security control. An active database process may be operating on behalf of an authorized user who has legitimate access or it may be active on behalf of an unauthorized person who has succeeded in penetrating the system. In addition, an authorized database user may act as an “information channel” by passing restricted information to unauthorized users either intentionally or without the knowledge of the authorized user. Some of the most successful database penetration methods are the following: 0

0

0 0

0

0

Misuses of Authority. Improper acquisition of resources, theft of programs or storage media, modification or destruction of data. Logical Inference and Aggregation. Both deal with users authorized to use the database. Logical inference arises whenever sensitive information can be inferred by combining less sensitive data. It may also involve certain knowledge from outside the database system. Closely related to logical inference is the aggregation problem, wherein individual data items are not sensitive though a sufficiently large collection of individual values taken together is sensitive. Masquerade. A penetrator may gain unauthorized access by masquerading as an authorized user. Bypassing Controls. These might be password attacks or exploitation of system trapdoors that get around intended access control mechanisms. Trapdoors are security flaws built into the source code of a program by the original programmer. Browsing. A penetrator may circumvent the protection and search through a directory or read dictionary information in an attempt to locate privileged information. Unless strict need-to-know access controls are implemented, the browsing problem becomes a major flaw of database security. Trojan Horses. A Trojan horse is hidden software that tricks a legitimate user into performing, unknowingly, certain actions which he

a

GUNTHER PERNUL

0

0

is not aware of. A Trojan horse may be hidden into a sort routine and be designed to release certain data to unauthorized users. Whenever a user activates the sort routine, for example, the purpose of sorting the result of a database query, the Trojan horse will act, using the users identity, and thus will have all the privileges of the user. Covert Channels. Usually the information that is stored in a database is retrieved by means of legitimate information channels. In contrast to legitimate channels covert channels are paths that are not normally intended for information transfer. Such hidden paths may either be storage channels like shared memory or temporary files that could be used for communication purposes or timing channels like a degradation of overall system performance. Hardware and Media Attacks. Physical attacks on equipment and storage media.

The attack scenario described above is not restricted to databases. For example, the German Chaos Computer Club succeeded in attacking a NASA system via a masquerade, by bypassing access controls (taking advantage of an operating system flaw) and using Trojan horses to capture passwords. As reported by Stoll(1988), some of these techniques were also used by the Wily Hacker. The Internet worm in 1988 exploited trapdoors in electronic mail handling systems and infected more than 5,000 machines connected to the Internet network (Rochlis and Eichin, 1989). Thompson (1984), in his Turing Award Lecture, demonstrated a Trojan horse placed in the executable form of a compiler that permitted the insertion of a trapdoor in each program compiled with the compiler. It is generally agreed that the number of known cases of computer abuse is significantly smaller than the number of actual cases since in this area there is hidden a large number of figures.

2.

Database Security Models

Because of the diversity of application domains for databases, different security models and techniques have been proposed to counter various threats against security. In this section we will discuss the most prominent among them. Put concisely, discretionary security specifies the rules under which subjects can, at their discretion, create and delete objects, and grant and revoke authorizations for accessing objects to other individuals. In addition to controlling access, mandatory security (or protection) regulates the flow of information between objects and subjects. Mandatory security controls are very effective but suffer from several drawbacks. One attempt

DATABASE SECURITY

9

to overcome certain limitations of mandatory protection systems is the Adapted mandatory access control (AMAC) model, a security technique that focuses on the design aspect of secure databases. The Personal knowledge approach concentrates on enforcing the basic law of many countries stating the informational self-determination of humans while the Clark and Wilson model attempts to represent common commercial business practice in a computerized security model. Early efforts at comparing some of these techniques were those of Biskup (1990) and Pernul and Tjoa (1992). Landwehr (1981) is a very good survey of formal policies for computer security in general, and Millen (1989) focuses on various aspects of mandatory computer security.

2.1

Discretionary Security Models

Discretionary security models are fundamental to operating systems and DBMSs and have been studied for some time. There was a great deal of interest in theoretical aspects of these models in the period from 1970 to 1975. Since that time most relational database security research has been focused on other types of security techniques. The appearance of more advanced data models has, nevertheless, renewed interest in discretionary policies.

2.1.1 Discretionary Access Controls Discretionary access controls (DAC) are based on a collection of concepts, including a set of security objects 0, a set of security subjects S, a set of access privileges T defining the kinds of access which a subject has to a certain object, and, in order to represent content-based access rules, a set of predicates P . Applied to relational databases 0, a finite set of values lo1,..., o n )is understood to represent relation schemas, S is a finite set of potential subjects (s, , ...,s,,,] representing users, groups of users, or transactions operating on behalf of users. Access types (privileges) constitute a set of database operations, such as select, insert, delete, update, execute, grant, or revoke and the predicate p E P defines the access window of a subject s E S on object o E 0. The tuple ( 0 , s, t , p ) is called an access rule and a function f is defined to determine if an authorization f ( o ,s, t , p ) is valid or not: f :0x S x T x P (True, False). -+

For any (0,s, t , p ) , iff(o, s, t , p ) evaluates True, subjects has authorization t to access object o within the range defined by predicate p .

10

GQNTHER PERNUL

An important property of discretionary security models is the support of the principle of delegation of rights, where a right is the (0, t,p)-portion of the access rule. A subject si who holds the right ( 0 , t, p) may be allowed to delegate that right to another subject sj (i # j ) . Most systems supporting DAC store access rules in an access control matrix. In its simplest form the rows of the matrix represent subjects, the columns represent the objects, and the intersection of a row and column contains the access type that that subject has authorization for with respect to the object. The access matrix model as a basis for discretionary access controls was formulated by Lampson (1971) and subsequently refined by Graham and Denning (1972) and by Harrison et al. (1976). A more detailed discussion on discretionary controls in databases may be found in the book by Fernandez et al. (1981). Discretionary security is enforced in most commercial DBMS products and is based on the concept of database views. Instead of authorizing access to the base relations of a system, information in the access control matrix is used to restrict the user to a particular subset of the available data. There are two principal system architectures for view-based protection: query modification and view relations. Query modification is implemented in Ingres-style DBMSs (Stonebraker and Rubinstein, 1976) and consists of appending additional security-relevant qualifiers to a user-supplied query. View relations are unmaterialized queries which are based on physical base relations. Instead of authorizing access to base relations, users are given access to virtual view relations only. By means of qualifiers in the view definition security restrictions can be implemented. View relations are the underlying protection mechanism of System R-based DBMSs (Griffiths and Wade, 1976). 2.1.2 DAC-Based Structural Limitations Although quite common, discretionary models suffer from major drawbacks when applied to databases with security-critical content. In particular the following limitations are encountered: 0

Enforcement of Security Policy. DAC is based on the concept of ownership of information. In contrast to enterprise models, where the whole enterprise is the “owner” of the information and responsible for granting access to stored data, DAC systems assign ownership of the information to the creator of data items in the database and allow the creator the authority to grant access to other users. This has the disadvantage that the burden of enforcing the security requirements of the enterprise becomes the responsibility of the users themselves and can be monitored by the enterprise only at great expense.

DATABASE SECURITY

0

0

0

11

Cascading Authorization. If two or more subjects have the privilege of granting or revoking certain access rules to other subjects cascading revocation chains may ensue. As an example, consider subjects sl, s2, and s3,and an access rule (sl, o, t, p ) . Subject s2 receives the privilege (0, t , p ) from s1 and grants this access rule to s3.Later, s1grants ( 0 , t , p) again to s3 but s2 takes the privilege (0, t , p ) away from s3 for some reason. The effect of these operations is that s3 still has the authorization (from sl) to access object o by satisfying the predicate p and using privilege t even though subject s2 has revoked this authorization. This has the consequence that subject s2 is not aware of the fact that the authorization (s3,o, t, p ) is still in effect. Trojan Horse Attacks. In systems supporting DAC the identity of the subjects is crucial. If actions can be performed by one subject using another subject’s identity, DAC can be subverted. By a “Trojan horse” is understood software that grants a certain right ( 0 , t , p) held by subject si to subject sj ( i # j ) without the knowledge of subject s i . Any program that runs on behalf of a subject acts under the identity of this subject and, therefore, possesses all the DAC access rights of the subject’s processes. If a program contains a Trojan horse that has the functionality of granting access rules to other users, this feature cannot be restricted by discretionary access control methods. Updating Problems. View-based protection results in unmaterialized queries which have no explicit physical representation in the database. This has the advantage of providing a high level of flexible support to subjects with different views and automatic filtering out of all data a subject is not authorized to access though it has the disadvantage of making it impossible to update all the data through certain views. This feature is a result of integrity factors that might be violated in data not contained in the view once the data from the view are updated.

2.2

Mandatory Security Models

Mandatory policies address a higher level of threat than do discretionary policies since, in addition to controlling access to data, they control the flow of data as well. Moreover, mandatory security techniques do not suffer from the structural limitations of DAC-based protection.

2.2.1 Mandatory Access Controls Whereas discretionary models are concerned with defining, modeling, and enforcing access to information, mandatory security models are, in addition, also concerned with the flow of information within a system.

12

GUNTHER PERNUL

Mandatory security requires that security objects and subjects be assigned certain security levels represented by a label. The label for an object o is called its classification (class(0))and a label for a subject s is called its clearance (cleafls)). The classification represents the sensitivity of the labeled data, while the clearance of a subject its trustworthiness to not disclose sensitive information to others. A security label consists of two components: a level from a hierarchical list of sensitivity levels or access classes (for example: top-secret > secret > confidential > unclassified) and a member of a nonhierarchical set of categories, representing classes of object types of the universe of discourse. Clearance and classification levels, are totally ordered, while the resulting security labels are only partially ordered; thus, the set of classifications forms a lattice. In this lattice security class c1 is comparable to and dominates (2)security class c2 if the sensitivity level of c1 is greater than or equal to that of c2 and if the categories in c, contain those in c, . Mandatory security grew out of the military environment where the practice is to label information. However, this custom is also common in many companies and organizations where labels such as “confidential” or “company confidential” are used. Mandatory access control (MAC) requirements are often stated following Bell and LaPadula (1976) and formalized in the following two rules. The first (simple property) protects the information of a database from unauthorized disclosure, and the second (*-property) protects data from contamination or unauthorized modification by restricting the information flow from high to low: 1. Subject s is allowed to read data item d if clear(s) 1 class(d). 2. Subject s is allowed to write data item d if cleafls) Iclass(d). A few final remarks on MAC policies are in order. In many discussions confusion has arisen concerning the fact that in mandatory systems it is not enough to have stringent controls over who can read which data. Why is it necessary to include stringent controls over who can write which data in systems with high security requirements? The reason is that a system with high security needs must protect itself against attacks from unauthorized as well as from authorized users. There are several ways authorized users may disclose sensitive information to others. This can happen by mistake, as a deliberate illegal action, or the user may be tricked into doing so by a Trojan horse attack. The simplest way in which information is disclosed by an authorized user occurs when information is retrieved from a database, copied into an “owned” object, and the copy then made available to others. To prevent an authorized user from doing so, it is necessary to control his ability to make copies (which implies the writing of data). In particular,

DATABASE SECURITY

13

once a transaction has successfully completed a read attempt, the protection system must ensure that no write to a lower-security level (write-down) could occur caused by a user who is authorized to execute a read transaction. As read and write checks are both mandatory controls, a MAC system successfully protects against attempts to copy information and grant copies to unauthorized users. By not allowing higher classified subjects the capability to “write-down” on lower classified data, the information flow among subjects with different clearances can be efficiently controlled. Inasmuch as covert storage channels require writing to objects, the *-property also helps limit leakage of information along such hidden paths. Mandatory integrity policies have also been studied. Biba (1977) has formulated an exact mathematical dual of the Bell-LaPadula model with integrity labels and two properties: no write-up in integrity and no readdown in integrity. This is, low-integrity objects (including subjects) are not permitted to contaminate objects of higher integrity, or, in other words, no resource is permitted to depend upon other resources unless the latter are at least as trustworthy as the former. As an interesting optional feature, mandatory security and the BellLaPadula (BLP) paradigm may lead to multilevel databases. These are databases containing relations which appear to be different to users with different clearances. This is accomplished by application of two policies, first by not allowing all clearances to authorize all subjects to all the data, and, second, by the fact that the support of MAC may lead to polyinstantiation of attributes or tuples. We will discuss polyinstantiation and the multilevel relational data model in more detail in the next subsection.

2.2.2 The Multilevel Secure Relational Data Model In this subsection we will define the basic components of the multilevel secure (MLS) relational data model. We will consider the most general case, i.e., the case in which an individual attribute value is subject to a security label assignment. We start by using the sample database scenario from the Introduction. Throughout the text, whenever the example is being referred the existence of four sensitivity levels, denoted TS, S, Co, and U (where TS > S > Co > U),and only one category is assumed. In each relational schema TC is an additional attribute and contains the tuple classification. Consider the three different instances of the relation “Project” given in Fig. 2. Figure 2(a) corresponds to the view of subject s with clear@) = S. Because of the simple property of BLP (read-access rule), users cleared at U see the instances of Project shown in Fig. 2(b). In this case the simple property of BLP automatically filters out data that dominate U.Consider further a subject s with clear@) = U and an insert operation in which the

14

GUNTHER PERNUL

’Title

Subject

Cliziit

IC

Alpha, S

Developmelit, S

A. S

S

Bela, U

Research. S

B, S

S

Celsius, 11

I’rocluctioii, 11

C, IJ

U

Chit

TC

Title

(a) Project s

TillC

Czlsiiir, IJ

Siiliject

I’raliiclioii, I J

C, IJ

(h) Project LJ Fra. 2. Instances of MLS relation “Project”.

user wishes to insert the tuple (Alpha, Production, 0)into the relation shown in Fig. 2(b). Because of the key integrity property, a standard relational DBMS would not allow this operation. (Although not seen by user s, as a key Alpha already exists in Project.) However, from a security point of view, the insert must not be rejected because otherwise there will be a covert signalling channel from which s may conclude that sensitive information he is not authorized to access may exist. The outcome of the operation is shown in Fig. 2(c) and consists of a polyinstantiated tuple in the MLS relation Project. A similar situation occurs if a subject cleared for the U-level updates (Beta, null, null) in Project as shown in Fig. 2(b) by replacing thc null values with certain data items. Again, this leads to polyinstantiation in Project. As another example of polyinstantiation, assume that subjects with cleur(s) = S wishes to update (Celsius, Production, C ) . In systems supporting MAC such an update is not allowed because of the *-property of BLP so as to prevent an undesired information flow between subjects cleared at the S-level to subjects cleared at the U-level. Thus, if an S-level subject wishes to update the tuple, the update again must result into polyinstantiation. The problem of polyinstantiation arises out of the need to avoid a covert channel. Lampson (1973) has defined a covert channel as a means of downward information flow. As an example let us consider the situation just described once again. If an insert operation initiated by some subject is rejected because of the presence of a tuple at a higher level, the subject

DATABASE SECURITY

15

might be able to infer the existence of that tuple, resulting in a downward information flow. With respect to security much more may happen that just inferring the presence of a tuple. The success or failure of the service request, for example, can be applied repeatedly to communicate one bit of information (0: failure, 1: success) to lower level. Therefore, the problem is not only that of inferring a classified tuple, moreover, any information visible at the higher level can be sent through a covert channel to the lower level. The theory of most data models is built around the concept that a real-world fact may be represented in a database only once. Because of polyinstantiation, this fundamental property is no longer true for MLS databases, thus requiring the development of a new theory. The state of development of MLS relational theory has been considerably advanced by research in the SeaView project (see Denning et al., 1988 or Lunt et al., 1990). The following discussion of the theoretical concepts underlying the MLS relational data model is based principally on the model developed by Jajodia and Sandhu (1991a). In the Jajodia-Sandhu model, each MLS relation consists of a stateinvariant multilevel relational schema RS ( A , C1, ...,A , , C, ,T C ) , where each A , is an attribute defined over a domain dom(A,), each Ci is a classification for A , , and TC is the tuple-class. The domain of C, is defined by [ L , ,H i ] which is a sublattice consisting of all security labels. The resulting domain of TC is [IublL,,i = 1 . ~ ~lub(H,, 1, i = l..n]], where lub denotes the least-upper-bound operation in the sublattice of security labels. In the Jajodia-Sandhu model TC is included but is an unnecessary attribute. A multilevel relation schema corresponds to a collection of statedependent relation instances R , one for each access class c. A relation instance is denoted by R, ( A , , C , , . . ., A , , C , , TC) and consists of a set of distinct tuples of the form ( a , , c,, . . ., a,, c,, tc), where each a, E dom(Ai), c 2 c i , c, E [Li, H , ] , and tc = lub(ci,i = 1 . ~ 1 We . use the notion t [ A , ]to refer to the value of attribute A , in tuple t while t [ C , ] denotes the classification of A , in tuple t . Because of the simple-property of BLP, t [ A is visible for subjects with clear(s) 2 t [ C , ] ;otherwise t [ A , ]is replaced with the null value. The standard relational model is based on two core integrity properties: the key property and the referential integrity property. In order to meet the requirements for MLS databases, both have been adapted and two further properties have been introduced. In the standard relational data model a key is derived by using the concept of functional dependencies. In the MLS relational model such a key is called an apparent key. Its notion has been defined by Jajodia et al. (1990). For the following we assume that

,

16

GUNTHER PERNUL

RS (Al, C , , ...,A,, C,, TC) is an MLS relational schema and that A (A E ( A , ...,A,)) is the attribute set that forms its apparent key. [MLS integrity property 11: Entity integrity. An MLS relation R satisfies entity integrity if and only if for all instances R, and t E R, the following conditions hold: 1. Ai E A =$ t[Ai]# null 2. A i , A j E A * t [ C i ] = t[Cj] 3. A i ct A =$ t[Ci] 2 t[CA] (C, is the classification of key A). Entity integrity states that the apparent key may not have the null value, and must be uniformly classified, and that its classification must be dominated by all the classifications of the other attributes. [MLS integrity property 21: Null integrity. R satisfies null integrity if and only if for each R, for R the following conditions hold: 1. For every t E R,, t[Ai] = null * t[Ci] = t[CA] 2. R, is subsumption free, i.e., it does not contain two distinct tuples such that one subsumes the other. A tuple t subsumes a tuple s, if for every attribute A i , either t [ A i yCi] = s [ A i ,Ci] or t [ A i ]# null and s[Ai]= null. Null integrity states that null values must be classified at the level of the key and that for subjects cleared for higher security classes, null values visible to lower clearances are replaced by the proper values automatically. The next property deals with consistency between the different instances R, of R. The inter-instance property was first defined by Denning et al. (1988) within the SeaView framework, later corrected by Jajodia and Sandhu (1990b) and later again included in SeaView by Lunt et al. (1990). [MLS integrity property 31: Inter-instance integrity. R satisfies the interinstance integrity if for all instances R, of R and all c' < c, a filter function 0 produces R,, . In this case R,, = o(R,,c') must satisfy the following conditions: 1. For every t E R, such that t[C,] Ic' there must be a tuple t' with t ' [ A ,C,] = t [ A ,C,] and for Ai ct A

t'[Ai, Ci]=

E R,,

I

if t[Ci] I c' t [ A i ,Ci] (null, f[CA])otherwise.

2. There are no additional tuples in R,, other than those derived by the above rule. R,, is made subsumption free.

DATABASE SECURITY

17

The inter-instance property is concerned with consistency between relation instances of a multilevel relation R. The filter function ci maps R to different instances R, (one for each c’ < c). Through the use of filtering a user is restricted to that portion of the multilevel relation for which the user is cleared. If c’ dominates some security levels in a tuple but not others, then during query processing, the filter function ci replaces all attribute values the user is not cleared to see by null values. Because of this filter function a shortcoming arises in the Jajodia-Sandhu model which was pointed out by Smith and Winslett (1992). Smith and Winslett state that ci introduces an additional semantics for nulls. In the Jajodia-Sandhu model a null value can now mean “information available but hidden” and this null value cannot be distinguished from a null value representing the semantics, “value exists but not known” or a null value with the meaning “this property will never have a value.” In a database all kinds of nulls may be present and at a certain security level it may be difficult for subjects to say what should be believed at that level. Let us now draw our attention to polyinstantiation. As we have seen in the example given earlier, polyinstantiation may occur in a number of different occasions, for example, when a user with low clearance attempts to insert a tuple that already exists with higher classification, or when a user wishes to change values in a lower classified tuple. Polyinstantiation may also occur because of a deliberate action in the form of a cover story, where lower cleared users should not be supported with the proper values of a certain fact. Some researchers state that the use of polyinstantiation to establish cover stories is a bad idea and should not be permitted. However, if supported, it may not occur within the same access class.

[MLS integrity property 41: Polyinstantiation integrity. R satisfies polyinstantiation integrity if for every R, and each attribute A ; , the functional dependency A C; --* A; (i = l..n) holds. Property 4 states that an apparent key A and the classification of an attribute correspond to one and only one value of the attribute, i.e., polyinstantiation may not occur within a single access class. In many DBMSs supporting a MLS relational data model, multilevel relations exist only at the logical level. In such systems multilevel relations are decomposed into a collection of single-level base relations which are then physically stored in the database. Completely transparent multilevel relations are constructed from these base relations upon user demand. The reasons underlying this approach are mainly practical in nature. First, fragmentation of data based on the sensitivity of the data is a natural and

18

GUNTHER PERNUL

intuitive solution to security and, second, available and well-accepted technology may be used for implementation of MLS systems. In particular, the decomposition approach has the advantage of not requiring extension of underlying trusted computing base (TCB) to include mandatory controls on multilevel relations, which means that the TCB can be implemented with a small amount of code. Moreover, it allows DBMS to run mainly as an untrusted application on top of the TCB. We will come back to this issue in Section 3 in a discussion of different implementations of trusted DBMSs.

2.2.3 MAC-Based Structural Limitations Although more restrictive than DAC models, MAC techniques require certain extensions in order to be applied to databases in an efficient way. In particular, the following drawbacks in multilevel secure databases and mandatory access controls based on BLP represent structural limitations: 0

0

0

Granularity of the Security Object. It is not yet agreed what should be the granularity of labeled data. Proposals range from protecting whole databases, to protecting files, protecting relations, attributes, or even certain attribute values. In any case, careful labeling is necessary since otherwise inconsistent or incomplete label assignments could result. Lack of an Automated Security Labeling Technique. Databases usually contain a large collection of data and serve many users, and in many civil applications the labeled data are not available. This is why manual security labeling is necessary though it may also result in an almost endless process for large databases. Therefore, support techniques are needed, in the form of guidelines and design aids for multilevel databases, tools to help in determining relevant security objects, and tools that suggest clearances and classifications. N-persons Access Rules. Because of information flow policies, higher cleared users are restricted from writing-down on lower classified data items. However, organizational policies may require that certain tasks be carried out by two or more persons (four-eyes principle) having different clearances. As an example, consider subjects sl, s, with clear(s,) > clear(s,), data item d with class(d) = clear@,) and a business rule that specifies that writing s2 on d requires the approval of s1 . Following Bell-LaPadula’s write-access rule it would be necessary for s1 and s2 to have the same level of clearance. This may be inadequate in business applications of MLS database technology.

DATABASE SECURITY

2.3

19

The Adapted Mandatory Access Control Model

The principal goals of the Adapted Mandatory Access Control (AMAC) model are to adapt mandatory access controls to better fit general-purpose data processing practice and to offer a design framework for databases containing sensitive information. In order to overcome the MAC-based limitations discussed earlier, AMA C offers several features that assist the database designer in performing the different activities involved in designing a database containing sensitive information. AMA C has the following advantages when used as a security technique for databases: 0

0

0

0

The technique supports all phases of the database design process and can be used to construct discretionary-protected as well as mandatoryprotected databases. If mandatory protection is required, a supporting policy for the purpose of deriving database fragments as the target of protection is provided. This responds to concerns regarding the granularity of security objects in multilevel systems. If mandatory protection is required, automated security labeling of security objects and subjects is supported. Automated labeling leads to candidate security labels that can be refined by a human security administrator if necessary. This overcomes the limitation that labeled data often is not available. In AMAC security is enforced through the use of database triggers and thus can be fine-tuned to meet application-dependent security requirements. For example, the n-eyes principle may be supported in some applications but not in others where information flow control is a major concern of the security policy.

We will first give a general overview of the AMAC technique followed by a more formal discussion and an example.

2.3. I

AMAC General Overview

Adapted mandatory security belongs to the class of role-based security models which assume that each potential user of the system performs a certain role in the organization. Based on their role users are authorized to execute specific database operations on a predefined set of data. The AMAC model covers not only access control issues; it also includes a database design environment with the principal emphasis on the security of the databases which are produced. These databases may be implemented in DBMSs that support DAC exlusively or in DBMs that support both DAC and MAC. The technique combines well known and widely accepted

20

GUNTHER PERNUL

concepts from the field of data modeling with concepts from the area of data security research. In AMAC the following are the design phases for security-critical databases: 1. Requirements Analysis and Conceptual Design. Based on the role which they perform in the organization potential users of a database may be classified into a number of different groups whose data and security requirements may differ significantly. The Entity-Relationship (ER) model and its variants serve as an almost de facto standard for conceptual database design and have been extended in AMAC to model and describe security requirements. The security and data requirements of each role performed in an organization are described by the individual ER schemas and form the view (perception) which each user group has of the enterprise data. Note that in this setting the notion of a view embraces all the information which a user performing a certain role in an organization is aware of. This information includes data, security requirements, and functions. Thus, the notion of views here is different from its sense in a DAC environment. To arrive at a conceptualization of the whole information system as seen from the viewpoint of the enterprise, AMAC employs view-integration techniques in a further design step. The resulting conceptual database model is described by a single ER schema which is extended by security flags that indicate security requirements entailed by certain user roles. 2. Logical Design. In order to implement the conceptual schema into a DBMS a transformation from the ER schema to the data model supported by the DBMS in use is necessary. AMAC contains general rules and guidelines for the translation of ER schemas into the relational data model. The output of the transformation process is a set of relational schemas, global dependencies that are defined between schemas and are necessary for maintaining database consistency in the further design steps, and a set of views, which now describe the access requirements entailed by the relation schemas. If the DBMS that is to hold the resulting database is capable only of supporting DAC, the relational schemas become candidates for implementation and the view descriptors may be employed as discretionary access controls. If a particular DBMS supports MAC, further design activities are necessary. The Requirements Analysis, Conceptual and Logical Design phases in AMAC are described by Pernul and Tjoa (1991). 3. The AMACSecurity Object. In order to enforce mandatory security it is necessary to decide which security objects and security subjects are both subject to security label assignments. In AMAC a security object is a database fragment and a subject is a view. Fragments are derived using structured database decomposition and views are derived by combining

DATABASE SECURITY

21

these fragments. A fragment is the largest area of the database to which two or more views have access in common. Additionally, no view exists with access to a subset of the fragment only. Pernul and Luef (1991) developed the structured decomposition approach and the automated labeling policy. Their work includes techniques for a lossless decomposition into fragments and algorithms to keep fragmented databases consistent during database update. It should be noted that a database decomposition into disjoint fragments is a natural way of implementing security controls in databases. 4. Support of Automated Security Labeling. As in most applications labeled data is not available, AMAC offers a supporting policy for automated security labeling of security objects and security subjects. Automated labeling is based on the following assumption: The larger the number of users cleared to access a particular fragment, the lower the sensitivity of the data contained in the fragment and, thus, the lower the level of classification with which the fragment has to be provided. This assumption would appear to be valid, inasmuch as a fragment that is accessed by many users will not contain sensitive information and, on the other hand, a fragment that is accessible to only a few users can be classified as highly sensitive. Views (respectively, users having a particular view as their access window to data) are ordered based on the number of fragments they may access (are defined over) and, in addition, based on the classifications assigned to the fragments. In general, a view needs a clearance that allows corresponding users to access all the fragments which the view is defined over. A suggested classification class(F)applies to an entire fragmental schema F as well as all attribute names and type definitions for the schema, while a suggested clearance Clear( V) applies to all transactions executing on behalf of a user V. It should be noted that classifications and clearances are only candidates for security labels and may be refined by a human database designer if necessary. 5 . Security Enforcement. In AMAC fragments are physically stored and access to a fragment may be controlled by a reference monitor. Security is enforced by means of trigger mechanisms. Triggers are hidden rules that can be fired (activated) if a fragment is affected by certain database operations. In databases security-critical operations include the select (read-access), insert, delete, and update (write access) commands. In AMACselect triggers are used to route queries to the proper fragments, insert triggers are responsible for decomposing tuples and inserting corresponding sub-tuples into the proper fragments, and update and delete triggers are responsible for protecting against unauthorized modification by restricting information flow from high to low in cases that could lead to undesired information transfer. The operational semantics of AMAC data base operations and the construction of the select and insert triggers are outlined by Pernul (1992a).

22

GUNTHER PERNUL

2.3.2 Technical Presentation of A MAC. An Example In AMAC security constraints are handled in the course of database design as well as query processing. In the course of database design they are expressed by the database decomposition while during query processing they are enforced by trigger mechanisms. In the discussion which follows we will give the technical details of the decomposition process, the decomposition itself, the automated security-labeling process, and certain inegrity constraints that have to be considered in order to arrive at a satisfactorily fragmentation. In AMAC it is assumed that the Requirements Analysis is performed on an individual user group basis and that the view which each user group has of the database is represented by an ER model. The ER Model has been extended to cover, besides the data semantics, the access restrictions of the user group, The next design activity is view integration. View integration techniques are well established in conceptual database design and consist in integration of the views of individual user groups into a single conceptual representation of the database. In AMAC the actual integration is based on a traditional approach and consists of two steps: integration of entity types and integration of relationship types (Pernul and Tjoa, 1991). During the integration correspondences between modeling constructs in different views are established and, based on the different possible correspondences, the integration is performed. Following integration the universe of discourse is represented by a single ER diagram extended by the access restrictions for each user group. The next step is to transform the conceptual model into a target data model. AMAC offers general rules for the translation into the relational data model. The translation is quite simple and results into three different types of modeling constructs: relation schemas (entity-relations or ‘relationship-type relations), interrelational dependencies defined between relation schemas, and a set of view descriptors defined on relation schemas and representing security requirements in the form of access restrictions for the different user groups. In the relational data model user views have no conceptual representation. The decomposition and labeling procedure in AMAC is built around the concept of a user view, entailing a simple extension of the relational data model. Let RS(A TTR, LD) be a relational schema with ATTR a set of attributes [ A , , ..., A n ] . Each A i E ATTR has domain dom(Ai). LD is a set of functional dependencies (FDs) restricting the set of theoretically possible instances of a relation R with schema RS (i.e., x i d o m ( A i ) )to the set of semantically meaningful instances. A relation R with schema RS consists in

DATABASE SECURITY

23

a set of distinct instances (tuples) It, , ..., t,) of the form ( a , , ...,a,) where a, is a value within dorn(A,). Let RS,(ATTR, ,LD,) and RS,(A TTR, , LD,) be two relational schemas with corresponding relations R , and R , . Let X and Y denote two attribute sets with X E A TTR, and Y L A TTR, . The interrelational inclusion dependency (ID) R S , [ X ] G RS,[Y] holds if for each tuple t E R , exists at least one tuple t’ E R, and t [ X ] = t ’ [ Y ] .If Y is a key in RS,, the ID is called key-based and Y is said to be a foreign key in RS, . Let V = [ V l , ..., Vp] be a set of views. A view F (F E V, i = l..p) consists of a set of descriptors specified in terms of attributes and a set of conditions on these attributes. The set of attributes spanned by the view can belong to one or more relation schemas. View conditions represent the access restrictions of a particular user group on the underlying base relations. For each user group there must be at least one view. The concepts defined above serve as the basis of the AMAC conceptual start schema SS. SS may be defined by a triple SS(%, GD, V ) , where: %

=

(RSl(ATTR, ,L D , ) , ...,RS,(A TTR,, LD,)) is a set of relational schemas,

GD = (ID,, . ..,ID,) is a set of key-based IDS V

=

( V , , ..., V,) is a set of views

If protection is sufficient, the relational schemas are candidates for implementation in a DBMS, the views may be used to implement contentbased access controls, and the set GD of global dependencies may be associated with an insert rule, a delete rule, and a modification rule in order to ensure referential integrity during database operation. If DAC is not sufficient and MAC has to be supported, it is necessary to decide which are the security objects and subjects and to assign appropriate classifications and clearances. In order to express the security requirements defined by means of the views, a decomposition of SS into single-level fragments is necessary. The decomposition is based on the derived view structure and results in a set of fragmental schemas in such a way that no view is defined over a subset of the resulting schema exclusively. A single classification is assigned to each fragmental schema and the decomposition is performed by means of a vertical, horizontal, or derived horizontal fragmentation policy. A vertical fragmentation (uf) results in a set of vertical fragments (F, , ..., F,) and is the projection of a relation schema RS onto a subset of its attributes. In order that the decomposition be lossless, the key of RS must be included in each vertical fragment. A vertical fragmentation (uf) R = (Fl , . . ., F,) of a relation R is correct if for every tuple t E R , t is the concatenation of ( v ,, ..., v,) with the vi tuple in F, (i = 1 ..r). (uf) is used

24

GUNTHER PERNUL

to express “simple” security constraint that restrict access to certain attributes. The effects of ( o f ) on an existing set of FDs have been studied by Pernul and Luef (1991) who showed that if R is not in 3NF (third normal form), some FDs might get lost in a decomposition. To produce a dependency-preserving decomposition in AMA C, Pernul and Luef suggested including virtual attributes (not visible to any user) and updating clusters in vertical fragments if a schema is not in 3NF. A horizontal fragmentation ( h f ) is a subdivision of a relation R with schema RS(ATTR, LD) into a subset of its tuples based on the evaluation of a predicate defined on RS. The predicate is expressed as a boolean combination of terms, with each term a simple comparison that can be established to be true or false. An attribute on which (hf)is defined is called a selection attribute. A (hf) is correct if every tuple of R is mapped into exactly one resulting fragment. Appending one horizontal fragment to another leads to a further horizontal fragment or to R again. (hf)is used to express access restristrictions based on the content of certain tuples. A derived horizontal fragmentation (dhf) of a relation Ri with schema RSi(ATTRi,LDi) is a partitioning of RSi produced by applying a partitioning criterion defined on RSj (i # j ) . (dhf) is correct if there exists a key-based ID of the form Ri [XIE Rj [ Y ] and each tuple t E Ri is mapped into exactly one of the resulting horizontal fragments. (dhf)may be used to express access restrictions that span several relations. A view 6 (F E V) defined on 3 represents the area of the database which a corresponding user group can access. Let F (F = F n 5 ) be a database fragment then F represents the area of the database to which two groups of users have access in common. If F = F\5, F is accessible only to users having view 6 as their interface to the database. In this case, F represents data which are not contained in 5 and, therefore, must not be accessible to the corresponding user set. From the point of view of a mandatory security policy a certain level of assurance must be given that users 5 are restricted from access to F. In AMAC this is produced by separation. For example, fragment (F\5 )is separated from fragment (F\6 )and fragment (6 n 5 ) even if all the fragments belong to the same relation. The construction of the fragments makes a structured database decomposition necessary. In addition, to support mandatory access controls, the access windows for the users is constructed in a multilevel fashion in which only the necessary fragments are combined to form a particular view. Let Attr( V )be the attribute set spanned by view V and let the subdomain SD(V[A])be the domain of attibute A valid in view V (SD(V[A])G Dom(A)).Two particular views 6 and 5 are said to be overlapping if

I

3 A ( A E A ttr( 6

n 5 ) and SD( F [A]) n SD( 5 [ A ] )# 0.

DATABASE SECURITY

25

Otherwise, and 5 are isolated. The process of decomposing 8 (8 = (RS,(ATTR, ,LD,), ...,RS,(A TTR,, LD,))) is performed for any two overlapping views and for each isolated view using the ( v f ) , (hf), and (dhf) decomposition operations. It results in a fragmentation schema FS = (FS,(attr,,Id,), ...,FS,(attr,, ld,)) and a corresponding set of fragments F (F = (F,, ...,F,)). If Ui A TTRi = Uj attrj (i = 1. .n,j = 1. .m), the decomposition is called lossless, and if U j LDi E Uj Idj (i = 1. .n,j = 1. .m), it is said to be dependency preserving. Note that (hf) or (dhf)may result in additional FDs. A fragmental schema FSj E FS is not valid if for any view V (3 c 4 ) ( V * V o 4).Here V * F denotes that users with view V have access to fragment F, while V e F means that F is not included in view V. To illustrate these concepts, we now apply the fragmentation policy to the example given in the Introduction. We assume that a Requirements Analysis has been performed and that the resulting ER model has been translated into the following start schema:

c

c,

SS = (8= (Employee ([SSN, Name, Dep, Salary), [SSN-Name, Dep, Salary)), Project ((Title, Subject, Client), (Title-Subject, Client)), Assignment ((Title, SSN, Date, Function), (Title, SSN-+Date,Function))], GD = (Assignment[Title]E Project[Title], Assignment[SSN] G Employee[SSN]], v = IV,, v2, v,, v4, V,))

The security policy of the organization requires that the following security conditions be represented: 0

0

0

0

View V, represents the access window for management of the particular organization. Users with view V, should have access to the entire database. VieTws V, and V3 represent users of the payroll department. Their requirements include access to Employee and Assignment. For V2 access to Employee is not restricted. However, access to the attribute Function should be provided only if Salary I100 for certain employees. Users V, should have access only to employees and their assignments if Salary I80. View V4 has access to Project. However, access to the attribute Client should not be supported if the subject of a project is “research.” View V5represents the view of users of the quality-control department. In order for these users to perform their duties, they must have access to all information related to projects with subject development i.e.,

26

GUNTHER PERNUL

1

Employee

1

Assienment

I

Project

(b) FIG. 3. Example of AMAC database decomposition. (a) Graphical representation of the view structure. (b) Structural decomposition.

to project data, assignment data, and data concerning assigned employees. Given these types of security requirements, construction of the fragmentation schema in AMAC is warranted. The security constraints fall into three different categories: simple constraints, which define a vertical subset of a relation schema, and content-based or complex constraints, which both define horizontal fragments of data. A (simplified) graphical representation of the corresponding view structure is given in Fig. 3(a). The view structure forms the basis of the decomposition. Because view V, spans the entire database, it does not produce any decomposition. View V, results in a derived horizontal fragmentation (dhf) of Assignment based on evaluation of the predicate p:Salary I100 defined on Employee. The decomposition is valid because of the existence of the key-based inclusion dependency between Employee and Assignment. For those tuples matching

27

DATABASE SECURITY

the condition in the second step, a vertical fragmentation (uf) is performed which splits attribute Function from the other attributes in the derived fragment. In Fig. 3(b) the outcome of this operation is shown as IF,, and IF22.Introducing view V3 results in a horizontal fragmentation (hf) of Employee (into IF3and IF,) and into a (dhf) of IF,. IF, is split into IF,, (assignment data of employees with salary below 80) and IF,, (assignment data of employees having a salary between 81 and 99). Again, this fragmentation is valid because of the existence of the key-based ID Assignment[SSN] S Employee[SSN]. Introducing view V, results in application of (hf) to Project and a further (uf)-decomposition splits attribute Client from projects having as Subject the value “research.” The result of the operations is given in Fig. 3(b) as the fragments F, and F, . Introducing view V, again entails several additional (hf) and (dhf) operations. Starting with “project” (hf) is performed on IF, resulting in F3 (holding projects with subject “development”) and F, (holding all other projects). The next step is (dhf)of Assignment, an operation that is necessary in order to find all assignment data that relates to projects having as subject “development.” Such data may be found in each intermediate fragment derived so far; thus, a total of four different (dhf)operations are necessary. A similar situation occurs with employee data. The final decomposition is given in Fig. 3(b) and consists of 16 different fragments. In order to support MAC it is necessary to determine the security objects and security subjects and to assign appropriate classifications and clearances. In AMAC (semi-) automated security label assignment is supported and based on the following assumption: A fragment accessed by numerous users cannot contain sensitive information, whereas a fragment that is accessed by only a few users may contain sensitive data. In AMAC such an assumption leads to assignment of a “low” classification level to the former type of fragment and a “high” classification to the latter type. On the other hand, views that access a large number of fragments or fragments assigned “high” classifications must have “high” clearances. In general, a view requires a clearance which allows appropriate users access to all fragments which the view is defined over. Let F = {F,, ...,F,J be a set of fragments and V = ( V , , ..., V,) a set of views defined on the database. Let a: F + P(V) be a mapping that assigns to a fragment the set of views having access to this fragment. By card-a(fi P( V)) we denote the cardinality of the set of views accessing the fragment, i.e., Ia(fi)l. Card-a(F, + P(V)) determines the level of classification that fragment & must be provided with. Let d: V P(F) be a mapping which associates with some view the set of fragments spanned by this view. By carddd(5 + P(F)) we denote the cardinality of the set of fragments which a user with view Vj has access to, i.e., ld(5)I. By applying +

+

28

GUNTHER PERNUL

a(F,) and d ( 5 ) to the example discussed earlier, we derive the following mappings: Mappings from fragments to views:

a(F6) = ( v l l ,

= lvll,

I vi KI, W

vi v41, W s ) = I vi VsI, dF8) = (vi v21, dF14 = 1v1 v21, 4F3) = Ivl,V4,v51, dF7) = (vl,V2,v51,dF9) = lvl,v2,~51, a(F12)= IVI * v 2 v3)9a(F13) = 1 v 1 v 2 ~ s I a(F16) , = v1, v 2 P V3I a(F11) = ( v l ,v2, v3, hI, a(Fi5 = 1V1,v2, v3, v51Mappings from views to fragments: @I)

=

9

= ( vl

4 ) 9

= (

9

v219

9

9

9

9

d(V1) = IF] F2 F3 F4 Fs F6 F7 F', F9 F1o F11 F12 Fi3 tFi4 Fi5 F161, 3

3

d(v2)

=

( F 7 , F8

d(v3)

=

lFll

9

9

9

9

F99 F I O , F1l

F12

d( v4) = IF1 F3

3

9

F15

3

3

Fl2, Fl3 F14, FIS F161,

F161,

9

d( VS) = IF3 F5 F7 ,F9 FI 1 ,F13 ,Flsl. Let us now order the fragments based on the assumption we have presented. The ordering defines the level of classification that has to be assigned to a fragment. Based on our assumption, we may derive the following dominance relationship between the classifications (assuming, to simplify the discussion, a uniform distribution of users among views): (c~uss(F~), ClUSS(F6)) > ( c~uss(FI),c~uss(F~), c~uss(F~), c~uss(F~), class(l[;,,), ~lass(F14)) > (c~uss(F~), c~uss(F~), c~uss(F~), c ~ u s s ( F ~c ~ u) ,s s ( F ~C~USS(Fl6)) ~), > lclass(Fll),class(F15)]. Furthermore, clear( V,) 1 (class(F,)),..., class(F16)), CleUr(v2) 1 (c~uss(F~), ...,ClUSS(Fl,)), clear( V3)1 Iclass(F1I), ...,class(F12), class(F15),c~ass(F16)), clear( V,) 1 (cluss(F,), class(F3), cluss(F4)), and clear( V,) 1 class(F3), class(F,), class(F7), class(F9), class(F,1), class(F,3 ) , class(F15)1.The security classifications are assigned based on the ordering of the fragments and are given in Fig. 4. The dominance relationship (d > c > b > a) holds for the levels. Structured decomposition results in the assignment of a classification label to each fragmental schema and a clearance to each user view. Thus, a fragmental schema can be denoted FS(attr, Id, c), which may be understood to mean that data contained in FS is uniformly classified by classification c. The process of structured decomposition and label assignment can be automated. The assigned security labels serve only as a suggestion to a human database designer, who can refine them as necessary. However, it is commonly agreed that if the number of different views is large, automated 9

9

9

29

DATABASE SECURITY

Ro. 4. Example of assigned classifications.

labeling will produce very satisfactory results. The outcome of the decomposition and the assigned classifications and clearances are maintained by three catalog relations: the Dominance Schema, the Data Schema, and the Decomposition Schema. Applied to the sample label assignment, means that based on the AMAC assumptions fragments F6 and F, describe the most sensitive area of the database. This seems a legitimate result, since F6 holds the attribute Function of assignments of employees that earn more than 100 if the assignment refers to a project with attribute Subject # “development” and if F, contains sensitive information stating the clients of projects having as subject “research.” Since only one group of users (V,) has access to both fragments, F, and F6 are assigned a classification that dominates all other classifications of the database and is dominated solely by cleu4Vl). On the other hand, fragments F,, and F,, are accessed by most of the views. The AMAC labeling assumption seems legitimate here, too, because both fragments describe nonsensitive data concerning employees and their assignments if the employee earns less than 80 and if the corresponding project has as subject “development.” In AMAC multilevel relations exist solely at a conceptual level. The access window for the users is constructed in a multilevel fashion so that only necessary fragments are combined to form a particular view. This is done in a way that is entirely transparent to the user, first, by filtering out fragments that dominate a particular user’s clearance and, second, by performing the inverse decomposition operation on the remaining fragments. This for ( v f ) represents a concatenation of vertical fragments (denoted (c)) and, for (hf) and (dhf), an append of horizontal fragments (denoted ( a ) ) . In the example we are considering, view V , and V, on Employee and Assignment can be constructed in the following way ((*) denotes the join operation): V1 V2

(Fl5(a>Fl6)(a)(Fl3(a>F,,)(*) ((Fs(a)F6)(c )(F7(a)FS))F16)(a>(F1J(u>F,,)(*)

(F,(a>F,)(a>(F9ca>F,o)(~)(~l I(&FlZ)

2)

30

GUNTHER PERNUL

The conceptual multilevel relations look different to different users, depending on the view. For example, the relation Assignment consists of IF5, ...,F12]for users V,, of (F7, ...,F12)for users V,, and of [Fl,, F 1 2 ) only for users V, . Three catalog relations are necessary in AMAC in order to maintain the database decomposition, construct the multilevel relations, and control the integrity of the database: the Decomposition Schema, the Data Schema, (a) Dominance Schema

I View I Clear I

(b) Data Schema

Dominates

1

Attribute

Title Function SSN Title Function

Integrity Constraint SSN G F7WNI Title G F3[Titlel SSN C FgPSNI Title G FIITitlel u F,[Titlel

Function Title

Title L F3(Titlel

Function I

.I.

( c ) Decomposition Schema

FIG. 5 . AMAC catalog relations.

F6

DATABASE SECURITY

31

and the Dominance Schema. Figure 5 presents some of the catalog relations that result from decomposition of the sample database. 0

0

0

Decomposition Schema. The schema comprises a mapping of the decomposition structure into a flat table. Its contents are needed to reconstruct multilevel relations from single-level fragments. Dominance Schema. The schema is used to model the allocation from fragments to users. Whenever a user-supplied query attempts to access a multilevel relation, the system has to make certain that the access request does not violate the security policy of the organization. For example, if there is a rule which states that the user’s clearance must dominate the classification of the referenced data, this rule may be complemented using information from the Decomposition Schema and the Dominance Schema. Data Schema. The Data Schema contains the schema definitions of the fragments and the set of integrity conditions which must be valid for every tuple in the fragment. Update operations performed on tuples in horizontal fragments may lead to transfer of tuples to other horizontal fragments. This occurs if the update changes the value of a selection predicate to a value beyond the domain of this attribute in the fragment. If information from the data schema is used, it is always possible to determine the valid domain of the selection attributes in the fragments and to route tuples to the proper fragments in case an update or insert operation is performed.

So far we have shown how the security requirements can be expressed in AMAC during database design by means of structured decomposition. In

Pernul (1992a) it is shown how these requirements can be enforced during database operation by means of database triggers. Triggers are implemented in most DBMS-products and can be used to perform hidden actions without the user’s knowledge. Generally speaking, a trigger consists of two parts. The first part, the trigger definition, specifies when the trigger should be invoked, while the second part, the trigger action, defines the actions which the trigger is to perform. We see triggers as an alternative way of implementing a security policy. In the following discussion we will specify the simple security property (read access) of BLP by means of a select trigger. Similar triggers have been developed by Pernul(1992a) for the insert statement (write access) and have been outlined for the update and delete statements. In what follows, assume that a user having clearance C has logged on to the system. Based on the information of the Dominance Schema, a set of security classifications (cl, ..., c,) with C 2 ( c , , ..., c,) may be derived. Any process operating on

32

GUNTHER PERNUL

behalf of the user that attempts to access any fragment with schema FS(attr, Id, c’) and c’ ct (q,...,c,] will not be properly authorized and, thus, the corresponding fragments will not be affected by operations performed by the C-level user. Because of security reasons, database fragmentation must be completely transparent to the users and users must be supported with the name of the base relations even if they are authorized to access a subset of a multilevel relation only. Read access is performed by means of a Select statement which has the following form: SELECT attribute list FROM base relations WHERE p Every query contains as parameter the user’s identification and the set of references base relations. Every multilevel base relation has assigned to it triggers which are executed when the base relation is affected by a corresponding operation. As an example consider the definition of a Select trigger as specified below. Here, %X denotes a parameter, the keyword DOWN-TO represents the transitive closure of the base relation (i.e., the set of fragments resulting from a base relation). The trigger implements the simple security property of BLP. CREATE TRIGGER S e l e c t - T r i g g e r ON e a c h - b a s e - r e l a t i o n FOR SELECT A S BEGIN d e c l a r e @ d o m i n a t e s , @ c l a s s i f i c a t i o n SELECT @domi nates=SELECT Domi n a t e s FROM Dominance Schema WHERE View=%V SELECT @ c l a s s i f i c a t i o n = S E L E C T C l a s s From D e c o m p o s i t i o n Schema WHERE P a r e n t = % s p e c i f i e d - b a s e - r e l a t i o n DOWN-TO each-resul t ing-fragment I F @dominatesn@cl a s s i f i c a t i o n 2 0 THEN p e r f o r m q u e r y f o r each e l e m e n t I N ( a d o m i n a t e s n @c l a s s i f i c a t i o n ) ELSE P r i n t ‘Base r e l a t i o n n o t known t o t h e system’ Rollback Transaction END S e l e c t l r i g g e r

As an example consider a user belonging to class V, who wishes to know the names of all the employees and their function is assigned projects. Note that users with view V, should be prevented from accessing data concerning employees who earn more than 80. The user issues the following query: SELECT Name, F u n c t i o n FROM Employee, Assignment WHERE Employee.SSN=Assignment.SSN

DATABASE SECURITY

33

Applied to this example the clearance assigned to users with view V3 @dominates = ( a 1 ,a2,b4,b6J,@classification[d2, d 3 , d 4 , d,, c6, b 2 , b 3 , b4, bS,b6,a , , a2), and @dominates fl @classification = ( a l ,a,, b4,b6]. Thus, the query is automatically routed to the corresponding fragments F,, , F I 2 ,F l s , and F16 and, based on the information of the Decomposition Schema, V3can be constructed by means of the inverse decomposition operation, i.e., V3 (F,, ( a ) F16)(*) (Fll( a ) F12).The outcome of the Select operation is in accordance with the simple security property of BLP. +

2.4 The Personal Knowledge Approach The personal knowledge approach is focused on protecting the privacy of individuals by restricting access to personal information stored in a database or information system. The model serves as the underlying security paradigm of the prototype DBMS Doris (Biskup and Briiggemann, 1991). The main goal of this security technique is to ensure the right of individuals as regards informational self-determination now part of the laws of many countries. In this context, the notion of privacy can be summarized as asserting the basic right of an individual to choose which elements of his or her private life may be disclosed. In the model, all individuals, users as well as security objects, are represented by an encapsulated person-object (in the sense of objectoriented technology). The data part of a person-object corresponds to the individual knowledge of himself or herself and his or her relationship to other persons. The operation part of a person-object corresponds to the possible actions which an individual may perform. The approach is built on the assumption that a person represented in a database has complete knowledge of himself or herself and that if he or she wishes to know something about someone else represented in the database, that person must first be asked. Knowledge of different persons cannot be stored permanently and, therefore, must be requested from the person each time information is requested. In an effort to achieve this lofty goal, the personal knowledge approach developed by Biskup and Briiggemann (1988, 1989) combines techniques of relational databases, object-oriented programming, and capability-based operating systems. More technically, it is based on the following constructs: Persons. A person-object represents either information concerning an individual about whom data is stored in the information system or represents the actual users of the system. Each person is an instance of a class, called group. Groups form a hierarchy and, in accordance with object-oriented concepts, a member of a group has the components of the group

34

GUNTHER PERNUL

as well as inherited components from all its supergroups. More technically, an individual person-object is represented by an NF2-tuple (con-firstgormal-form, i.e., it may have nonatomic attribute values) with entries of the following form: t (Surrogate, Knows, Acquainted, Alive, Available, Remembers) where 0 0

0 0

0 0

Surrogate is a unique identifier which is secretly created by the system Knows is application dependent and organized as a relation with set of attributes ( A , , ...,A,,]; it represents the personal knowledge of the person-object Acquainted is a set of surrogates representing other person-objects of which the person is aware Alive is a boolean value Available contains the set of rights which the person has made available to others Remembers contains a set of records describing messages which have been sent or received

Each person is represented as an instance of a group. All persons in a group have the same attributes, operations, roles, and authorities. The operation part of an object consists of system-defined operations which are assigned to groups. Examples of common system-defined operations are ‘create’ (creates a new instance of a group); ‘tell’ (returns the value of the attribute Knows); ‘insert’, ‘delete’, and ‘modify’ (transform Knows); ‘acquainted’ (returns the value for Acquainted), and others.

Communication between Acquainted Objects. Persons are acquainted with other persons. A person individually receives his or her acquaintances by using the operation ‘grant’. The set of acquaintances of a person describes the environment of this person and denotes the set of objects which the person is allowed to communicate with. Communication is performed by means of messages that may be sent from a person to his or her acquaintances in order to query their personal knowledge or to ask that an operation be performed, for example, to that knowledge be updated. Roles and Authorities. Depending on the authority of the sender, the receiver of a message may react in different ways. The authority of a person with respect to an acquaintance is based on the role which the person is currently performing. While the set of acquaintances of a person may change dynamically, authorities and roles are statically declared in the system. When a person-object is created as an instance of a group, it receives the authorities declared in this group and in all its supergroups.

DATABASE SECURITY

35

Auditing. Each person remembers the messages the person is sending or receiving. This is established by adding all information about recent queries and updates together with the authorities available at that time to the ‘knowledge’ (attribute Remembers) of the sender and receiver personobject. Based on this information, auditing can be performed and all transactions traced by just ‘asking’ the affected person. Security (privacy) enforcement following the personal-knowledge approach is based on two independent features. First, following login each user is assigned as instance a person-object type and, thus, assumes individually received acquaintances and statically assigned authorities as roles. Second, whenever a user executes a query or an update operation, the corresponding transaction is automatically modified in such a way that resulting messages are sent only to the acquaintances of the person. Summarizing, the personal-knowledge approach is fine-tuned to meet the requirements of informational self-determination. Thus, it is the preferable approach as the underlying security paradigm for database applications in which information about individuals which is not available to the public is maintained, for example, in hospital information systems or databases containing census data.

2.5 The Clark and Wilson Model This model was first summarized and compared to MAC by Clark and Wilson (1987), who claimed that their model was based on concepts already well established in the pencil-and-paper office world. These concepts include the notion of security subjects, (constraint) security objects, a set of well-formed transactions, and the principle of separation of duty responses. If we transfer these principles to the database and security world, they assume the following interpretation: Users of a system are restricted to execute on solely of a certain set of transactions which are permitted to them, and each transaction operates solely on an assigned set of data objects. More precisely, the Clark and Wilson approach may be interpreted in the following way: 1. Security subjects are assigned to roles. Based on the role which they play in an organization, users have to perform certain functions. Each business role is mapped into database functions and, ideally, at a given time, a particular user is playing only one role. A database function corresponds to a set of (well-formed) transactions that are necessary for users acting in a particular role. In this model it is essential to state which user is acting in which role at what time and, for each role, what transactions have to be carried out. To control against unauthorized disclosure

36

GUNTHER PERNUL

and modification of data, Clark and Wilson proposed that access be permitted only through execution of certain programs and well-formed transactions, and that the rights of users to execute such code be restricted based on the particular role a user is acting. 2. Well-formed transactions. A well-formed transaction operates on an assigned set of data. It is necessary to ensure that all the relevant security and integrity properties are satisfied. In addition, a well-formed transaction must provide logging and atomicity as well as serializability of the resulting subtransactions in such a way as to enable the construction of concurrency and recovery mechanisms. It is important to note that, in this model, data items referenced by transactions are not specified by the user implementing the transaction. Rather, data items are assigned depending on the role which the user is enacting. Thus, the model does not allow ad hoc database queries. 3. Separation of duty. This principle requires assigning to each set of users a specific set of responsibilities based on the role the user enacts in the organization. The only way for a user to access data in the database is through an assigned set of well-formed transactions specific to the role which the particular user enacts. In those cases in which a user requires additional information, another user (cleared at a higher level) acting in a separate role must implement a well-formed transaction from the transaction domain of the role he is enacting in order to grant the initial user temporary permission to execute a larger set of well-formed transactions. Moreover, the roles have to be defined in such a way as to make it impossible for a single user to violate the integrity of the system. For example, the design, implementation, and maintenance of a well-formed transaction must be assigned to a different role than execution of the transaction. A first attempt to implement the concept of a well-formed transaction was that of Thomsen and Haigh (1990). The authors compared the effectiveness of two mechanisms for implementing well-formed transactions, Lock-type enforcement (see Subsection 3.2) and the Unix s e t u id mechanisms. With type enforcement, accesses of user processes to data can be restricted based on the domain of the process and the type of data. s e t u i d and s e t g id features allow a user who is not owner of a file to execute commands in the file with the owner’s permission. Although Thomsen and Haigh concluded that both mechanisms are suitable for implementing the Clark and Wilson concept of a well-formed transaction, no further studies or implementation projects are known. The Clark and Wilson model has drawn considerable interest in recent years. However, though it seems quite promising at first glance, it is still

DATABASE SECURITY

37

lacking, we believe, detailed and thorough investigation. In particular, the only potential threats to the security of a system which were addressed were penetration of data by authorized users, unauthorized actions by authorized users, and the abuse of privileges by authorized users. As noted early in our discussion, this represents only a subset of the required functionality of the mandatory security features of a DBMS.

2.6

A Final Note on Database Security Models

In this section we have discussed different approaches towards the representation of database security. In concluding the section, we wish to note that although the models differ significantly, all of the approaches which we have discussed have their own raison d’6tre. The discretionary security approach may be the first choice if a high degree of security is not necessary. Keeping the responsibility to enforce security on the user’s side is sufficient only if potential threats against security would not result in great damage. Even if a central authority is responsible for granting and revoking authorizations, DAC-based protection may still be subject to Trojan horse attacks and cannot be recommended as a security technique in security-critical database applications. Mandatory policies are more effective as they entail users not having control over the creation and alteration of security parameters. In addition, a security policy suitable to a particular application may have both a mandatory and a discretionary component. Note, too, that real systems often allow for leaks on strict mandatory controls, for example, to privileged users, such as system administrators and security officers. Such back-door entry points often represent a serious source of vulnerability. Multilevel applications may become very complex. One way of countering this complexity would be to develop a conceptual representation of a multilevel database application. We will come back to this issue in Section 4, where a conceptual model for multilevel database security is introduced. Although very effective, mandatory policies can only be applied in environments where labeled information is available. We believe this is one of the strongest points in favor of the AMAC security model. AMAC offers a design environment for databases with principal emphasis on security. It includes discretionary as well as mandatory controls. However, the model suffers from a limited level of expressiveness. AMAC uses relational algebra to express security constraints which, for certain applications, may not be sufficiently expressive to specify sophisticated security constraints. We interpret the personal knowledge approach as a means of implementing discretionary controls. Permitting person-objects to decide whether to

38

GUNTHER PERNUL

respond to a query issued by another object seems to be a very effective way of maintaining the privacy of stored information. Privacy security may be an interesting alternative in applications where mainly personal information is maintained, for example in hospital information systems. The Clark and Wilson model has gained wide acceptance in recent years. Although at first glance it seems promising it is our belief that there is still a need for a detailed and thorough investigation because a number of major questions remain open. Many security-relevant actions are relegated to application programs; moreover, the model does not support ad hoc database queries. While we believe that most of the database security requirements could be expressed, this, however, would entail tremendous application development costs.

3. Multilevel Secure Prototypes and Systems Trusted systems are systems for which convincing arguments or proofs have been given to the effect that the security mechanisms are working as prescribed and cannot be subverted. A basic property of trusted systems is their size; these systems tend to be quite large in terms of the amount of code needed for their implementation. This is especially true of complex systems, for example, trusted database managements systems. A complete formal implementation proof of system specifications is still not possible using present-day technology, although a great deal of research on formal specification and verification is currently in progress. The enormous amount of code necessary is the reason for the very conservative approach taken by most trusted DBMSs in an effort to achieve a certain level of assurance through reuse and by building upon previously built and verified trusted system, in an approach known as TCB subsetting. A trusted computing base (TCB) refers to that part of a system which is responsible for enforcing a security policy; it may involve any combination of hardware, firmware, and operating system software. The term was defined in the Trusted Computer System Evaluation Criteria (TCSEC, 1985). The criteria defines seven levels of trust, which range from systems that have minimal protection features to those that provide the highest level of security which state-of-the-art security techniques may produce. TCSEC is not the only proposal put forward for the purpose of defining objective guidelines upon which security evaluations of systems may be based. We will review TCSEC and other proposals in Section 5 . TCB subsetting has been identified as a strategy for building trusted DBMSs in the Trusted Database Interpretation (TDI, 1990) of TCSEC. In this section we will discuss the most prominent projects which have had as

DATABASE SECURITY

39

their goal the design of systems that meet the requirements of the higher levels of trust as specified in TDI evaluation criteria. In order to obtain evaluation at higher levels of trust, a system must be supported by mandatory access controls. There have been three main efforts at designing and implementing trusted relational database systems, SeaView, which has been implemented at SRI; LDV in the Honeywell SCTC; and ASD at TRW. Besides these (semi-) academic prototypes, several vendors, including Ingres, Informix, Oracle, Sybase, Trudata, and others, have announced or already released commercial systems that support mandatory access controls. The systems differ not only in details, and, in addition, there is not even agreement as to what should be the granularity of the security object. For example, SeaView supports labeling at an individual attribute value level, LDV supports tuple-level labeling, and in ASD-Views the security object is a materialized view. Some commercial systems, moreover, enable support security labeling exclusively at the relation level or even the database level.

3.1 SeaView The most ambitious and exciting proposal aimed at the development of a trusted DBMS has come from the SeaView project (see Denning et al., 1987, or Lunt, 1990). The project was begun in 1987 and is a joint effort by Stanford Research Institute (SRI) International, Oracle, and Gemini Computers with the goal of designing and prototyping a multilevel secure relational DBMS. The most significant contribution of SeaView lies in the realization that multilevel relations must exist solely at a logical level and, moreover, may be decomposed into single-level base relations. These finding have a mainly practical import. In particular, single-level base relations can be stored using a conventional DBMS, while commercially available TCBs can be used to enforce mandatory controls with respect to single-level fragments. The architectural approach taken by the SeaView project was intended to implement the entire DBMS on top of the commercially available Gemsos TCB (Schell et ai.,1985). Gemsos provides user identification and authentication, maintenance of tables containing clearances, as well as a trusted interface for privileged security administrators. Multilevel relations are implemented as views over single-level relations. The single-level relations are transparent to the users and stored by means of the storage manager of an Oracle DBMS engine. From the viewpoint of Gemsos, every single-level relation is a Gemsos security object belonging to a certain access class. Gemsos enforces the mandatory security policy based on the Bell-LaPadula security paradigm. A label comparison is performed whenever a subject

40

GUNTHER PERNUL

attempts to bring a storage object into its address space. A subject is prevented from accessing storage objects not in the subject’s current address space by means of hardware controls that are included in Gemsos. In addition to mandatory controls, the SeaView security policy requires that no user be given access to information unless that user has been granted discretionary authorization to this information. DAC-based protection is performed outside Gemsos and allows users to specify which users and groups have authorization to specific modes of access to particular database objects, as well as which users and groups are explicitly denied authorization to particular database objects. Since a multilevel relation is stored as a set of single-level fragments, two algorithms are necessary: 1. A decomposition algorithm to break down multilevel relations into single-level fragments. 2. A recoveryformula to reconstruct an original multilevel relation from fragments. It is obvious that a recovery must yield identical results, otherwise the process of decomposition and recovery is incorrect. In SeaView, decomposition of multilevel relations into single-level relations is performed by means of vertical and horizontal fragmentation while recovery by performing union and join operations. For the following consider a conceptual multilevel relation R (A 1 , C , , ...,A , , C, ,TC) where each Ai is an attribute defined over a domain Di and each Ci a security class from a list (TS, S, Co, U),where TS > S > Co > U.We assume A l is the apparent primary key. The original SeaView decomposition algorithm (Denning et al., 1988) consists of three steps and can be outlined as follows: Step 1. The multilevel relation R is vertically partitioned into n projections R [A ,Cll,R2[A ,C1,A,, GI, ...,R,[A ,C1,A , ,GI. Step 2. Each Ri is horizontally fragmented into a single resulting relation for each security level. Obviously, for (TS, S, CoyU )this results in 4n relations. Step 3 . In a further horizontal fragmentation R,, ..., R, (Le., 4n - 4 relations) are further decomposed into at most four resulting relations. The final decomposition is necessary in order to support polyinstantiation. For this algorithm a performance study and worst-case analysis was performed by Jajodia and Mukkamala (1991) which demonstrated that a multilevel relation R (A,, C,, ..., A,, C,,TC) decomposes into a maximum of (10n - 6) single-level relations.

DATABASE SECURITY

41

The algorithm was subjected to extensive discussion in the scientific literature. Jajodia and Sandhu (1990b) pointed out that it leads to unnecessary single-level fragments. Moreover, performing a recovery of multilevel relations entails repeating joins that may lead to spurious tuples. As an alternative they proposed changing the polyinstantiation integrity property defined in the original SeaView data model by dropping the portion of the property that enforces multivalued dependency. Their suggestions led to a reformulation of the polyinstantiation integrity by Lunt et al. (1990). In a further proposal, Jajodia and Sandhu (1991b) presented a second algorithm that decomposes a multilevel relation into single-level fragments together with a new recovery algorithm which reconstructs an original multilevel relation. The recovery algorithm in this proposal improves earlier versions because, now, decomposition uses only horizontal fragmentation. Since no vertical fragmentations are required, it is possible to reconstruct a multilevel relation without having to perform costly join operations; only unions have to be processed. Recently, Cuppens and Yazdanian (1992) proposed a “natural” decomposition of multilevel relations based on a study of functional dependencies and an application of normalization whenever a decomposition of multilevel relations is attempted. As decomposition and recovery is crucial for SeaView performance it is expected that the subject of efficient decomposition techniques for fragmentation of multilevel relations into single-level fragments will remain a heavily discussed research topic in the future. A further contribution of SeaView was the development of a multilevel SQL (MSQL) database language (Lunt et al., 1988). MSQL is an extension of SQL (Structured Query Language) and includes user commands for operating on multilevel relations. The design includes a preprocessor that accepts multilevel queries and translates the queries into single-level standard SQL queries operating on decomposed single-level fragments.

3.2 Lock Data Views Lock Data Views (LDV) is a multilevel secure relational DBMS, hosted on the Lock TCB and currently prototyped at the Honeywell Secure Computing Technology Center (SCTC) and MITRE. Lock supports a discretionary as well as mandatory security policy. The mandatory policy enforces the simple security property and the restricted *-property of BLP. The authors of LDV have stated that, because of its operating system orientation, the Lock security policy had to be extended for use in LDV (Stachour and Thuraisingham, 1990). One aspect of Lock-type enforcement-is of special interest for the increased functionality of this TCB in LDV.

42

GUNTHER PERNUL

The general concept of type enforcement in Lock and its use in LDV has been discussed by Haigh et ul. (1990). The main idea is that a subject’s access to an object is restricted by the role he or she is performing in the system. This is done by assigning a domain attribute to each subject and a type attribute to each object, both of which are maintained within TCB. Entries in the domain definition table correspond to a domain of a subject and to a type list representing the set of access privileges which this subject possesses within the domain. The type enforcement mechanism of Lock made it possible to encapsulate LDV in a protected subsystem by declaring database objects to be special Lock types (Lock files) accessible only to subjects executing in the DBMS domain. Since only DBMS programs are allowed to execute in this domain, only DBMS processes can access Lock types holding portions of the database. The remaining problem that had to be solved was to enable secure release of data from the DBMS domain to the user domain. Fortunately, Lock supports implementation of assured pipelines that have been used in LDV to transfer data between DBMS and user domains. Assurance is achieved through appropriate trusted import and export filters (hardware and software devices). Two basic extensions to the Lock security policy have been implemented in LDV. Both extensions concern proper classification of data. The first extension relates to insert and update of data. In the course of insert and update, data are assigned to the Lock type which is classified at the lowest level at which the tuple can be stored securely. The second extension is concerned with query results. The result of a query is transferred from Lock types into ordinary objects and the appropriate security level of the query result is derived. The two policies are enforced in LDV by means of three assured pipelines, the queryhesponse pipeline, the datahnput pipeline, and the database definitiodmetadata pipeline. The query/response pipeline is the query processor of LDV. It consists of a set of processes which execute multi-user retrieval requests, integrate data from different Lock types, and output information at an appropriate security level. A user-supplied query is first mapped from the application domain into the DBMS domain, the query is then processed, and the result is labeled, and, finally, exported to the user. To prevent logical inference over time, the response pipeline includes a history function. This mechanism can be used to trace queries already performed for a particular user and to deny access to relations based on the querying history of the user. The duta/input pipeline is responsible for actions that have to be taken whenever a user issues an insert, modify, or delete operation. The request must first be mapped from the application domain to the DBMS domain. The request must then be processed. A delete request will affect only data

DATABASE SECURITY

43

at a single classification level (restricted *-property of BLP). For consistency reasons, data are not actually removed but only labeled as deleted. Before the actual removal takes place certain consistency checks are performed. More complicated is the case in which the request involves an insert operation. Classification rules that may be present in the data dictionary (see discussion of database definitiodmetadata pipeline) may make it necessary to decompose a relation tuple into different subtuples, which are then stored in separated files, each with a different classification. A modify request is implemented in a way similar to the insert operation. The database defiinitiodmetadata pipeline interacts with the LDV data dictionary and is used to create, delete, and maintain metadata. Metadata either correspond to definitions of the database structure (relations, views, attributes, domains) or are classification constraints. Classification constraints are rules that are responsible for assigning proper classification levels to data. The use of the metadata pipeline is restricted to the database administrator or database security officer (DBSSO). Here, again, Locktype enforcement mechanisms are used to isolate metadata in files that can be accessed only by the DBMS domain and the DBSSO domain and not by the application domain. A few final words on the organization of a LDV database. Data are distributed across Lock files and the basic schema is to assign a single set of files to each security level. The data/input pipeline determines the appropriate assignment of data to files through examination of classification constraints stored in the data dictionary. In LDV there is no replication of data across different security levels. The advantage of this approach lies in the simplicity of updates. However, the approach suffers from the disadvantage of a significant performance penalty for retrieval requests due to the need for a recovery algorithm. The recovery algorithm used in LDV is outlined by Stachour and Thuraisingham (1990).

3.3 ASD-Views ASD-Views, implemented on top of an existing DBMS called ASD, is a research project at TRW. ASD is a multilevel relational system offering classification at the tuple level. In 1988 attempts were begun at TRW to extend ASD and to choose views as the objects of mandatory as well as discretionary security. Wilson (1988) discussed the advantages and disadvantages of views as the target of protection within ASD-Views. Among the advantages he stated the following: 0

Views are very flexible and can be used to define access control based on the content of the data.

44 0

0 0

0

GUNTHER PERNUL

The view definition itself documents the criteria used to determine the classification of data. Arithmetic and aggregate functions could be used to define views. Tuple-level classification can be achieved by specifying horizontal views, while attribute-level classification by specifying vertical subsets of relations. Access control lists can be associated with views and can control discretionary access. Thus, the same concept could be used for mandatory and discretionary protection.

However, there are also certain major disadvantages in using views for mandatory protection, two of which are as follows: 0

0

The view definitions may need to be considered within TCB. Viewbased DBMSs tend to be very large, since views are responsible for most of the code of DBMS. Since a small TCB is required for successful evaluation of the correctness of the specifications and the code, including maintenance of views within TCB would represent a tremendous improvement in the verification effort. Not all data are updateable through certain views.

To overcome the disadvantages, Garvey and Wu (1988) included in a near-term design of ASD-Views the claim that each view must include a candidate key of the underlying base relation and, moreover, the near-term design should support only a restricted query language in order to define secure views. ASD-Views was restricted so that, for example, a view definition may describe a subset of data from a single base relation only, while joins, aggregate functions, and arithmetic expressions are not allowed. The authors of ASD-Views argue that these restrictions minimized TCB code considerably. In ASD-Views the restricted views are the security objects and base tables can only be accessed through views. In ASD-Views the creation of a view must be trusted since otherwise a Trojan horse in untrusted code could switch the names of two columns causing data at a higher security level to become visible to a user logged in at a lower level. During database initialization a trusted database administrator creates all the tables and their associated views and assigns a classification level to each view. When a user logs in to ASD-Views a user process is created at the user’s login clearance and discretionary and mandatory access checks on the referenced views can be performed. Because ASD-Views is built on top of ASD, the system may operate in all three different modes of operation of ASD (Hinke et al., 1992). In the first mode of operation, DBMS is a server in a local-area network. In the second mode of operation, the system serves as a back-end DBMS for single-level

DATABASE SECURITY

45

or multilevel host computers. In the final mode of operation, the system serves as a host-resident DBMS within a multilevel host running a multilevel secure operating system.

4.

Conceptual Data Model for Multilevel Security

Designing a database is a complex and time-consuming task, even more so in the case when attention must also be given to the security of the resulting database. Database design, including the design of databases containing sensitive data, is normally done in a process consisting of at least three main design phases (Fugini, 1988). The first phase, conceptual design, produces a high-level, abstract representation of the database application. The second phase, called logical design, translates this representation into specifications that can be implemented using a DBMS. The third phase, or physical design, determines the physical requirements for efficient processing of database operations. Conceptual and logical design can be performed independently of the choice of a particular DBMS, whereas physical design is strongly system dependent. In this section we will develop a conceptual data model for multilevel security. Such a data model is of particular importance to a security administrator who wishes to get a clear understanding of the security semantics of the database application. The model proposed combines wellaccepted technology from the field of semantic data modeling with multilevel security. We will start by identifying the basic requirements of a conceptual data model. The following characteristics of a conceptual database model have been discussed in the literature (see Elmasri and Navathe (1989) or Navathe and Pernul (1 992)): 0

0

0 0

Expressiveness. The data model must be powerful enough to point out common distinctions between different types of data, relationships, and constraints. Moreover, the model must offer a toolset to describe the entire set of application-dependent semantics. Simplicity. The model should be simple enough for a typical user or end user to understand and should, therefore, possess a diagrammatic representation. Minimality. The model should comprise only a small number of basic concepts. Concepts must not be overlapping in meaning. Formality. The concepts of the model should be formally defined and should be correct. Thus, a conceptual schema can be seen as a formal unambiguous abstraction of reality.

46

GUNTHER PERNUL

Semantic data models address these requirements and provide constructs which represent the semantics of the application domain correctly. In the proposed approach to the construction of a semantic data model for security we use Chen’s Entity-Relationship (ER) model with enhancements needed for multilevel security. The decision to choose ER is motivated by the fact that this model is extensively used in many database design methodologies, possesses an effective graphical representation, and is a de facto standard of most tools which support database design. We will not discuss aspects related to data semantics, though we will describe in detail application-dependent security semantics which have to be considered in a conceptual data model for multilevel security. For details on the ER approach and questions related to the conceptual database design the reader is referred to Batini et af. (1992). Compared to the enormous amount of published literature on semantic modeling and the conceptual design of databases, not much work has been done in investigating the security semantics of multilevel secure database applications. Only recently have there been studies aimed at providing tools and assistance to help the designer working on a multilevel database application. The first attempts to use a conceptual model to represent security semantics were those of G. W. Smith (1990a, 1990b). G . W. Smith developed a semantic data model for security (SDMS) based on a conceptual database model and a constraint language. It was a careful and promising first step which has influenced all succeeding approaches. More recent efforts have been attempted as part of the SPEAR project (Wiseman, 1991 and Sell, 1992). SPEAR is a high-level data model that resembles the ER approach. It consists of an informal description of the application domain and of a mathematical specification which employs a formal specification language. Two further related projects are known, both of which attempt to include dynamics, in addition to modeling the static of the application as part of the conceptual modeling process. In Burns (1992) the ER Model was extended to capture limited behavior by including the operations ‘create’, ‘find’, and ‘link’ into the conceptual database representation, whereas in Pernul (1992b) ER was used to model the static part of an MLS application while data-flow diagramming was used to model the behavior of the system. The discussion in the following subsection partly adopts the graphical notation developed in Pernul (1 992b). The proposal made in the present section considerably extends previous work on security semantics. In particular, 0

it carefully defines the major security semantics that have to be expressed in the design of a multilevel application

DATABASE SECURITY

0

0

0

0

47

it outlines a security-constraints language (SCL) to express the corresponding rules in a conceptual model of the application it provides a graphical notion for constraints expressed in the ER model it gives general rules to detect conflicting constraints it suggests implementation of the constraint system in a rule-based system so as to achieve completeness and consistency of the security semantics.

4.1

Concepts of Security Semantics

The notion of security semantics embraces all security-relevant knowledge about the application domain. It is concerned mainly with the secrecy and privacy aspect of information (maintaining confidentiality against risk of disclosure) and with the integrity aspect of information (assuring that data is not corrupted). Within the framework of multilevel security, security semantics consists basically of rules (security constraints) classfying both data and query results. The rules are specified by the database designer and must correctly represent the level of sensitivity of classified data. In considering security semantics, certain concepts deserve special attention as regards the classification constraints: 0

0

0

0

0

Identifier. A property which uniquely identifies an object of the real world is called its key or identifier. In security semantics there is also the notion of a near-key, a property that identifies a particular object not uniquely but most of the time. For example, the SSN of an employee is a key while the property Name is a near-key. Content. The sensitivity of an object of a certain type is usually dependent on its content, i.e., actual data values or associations of data with metadata serve to classify an object. Concealing Existence. In security-critical applications it may be necessary to conceal the very existence of classified data, i.e., it is not sufficient to provide unauthorized users with null values of certain facts. Attribute-Attribute Value. Most data make sense only when combined with metadata. As a result, in referring to a classified property, it is understood that both the property and its value are classified. Nonconflicting Constraint Set. For large applications it may be necessary to express a large set of security constraints at the conceptual database level. Verifying the consistency of specified constraints is one of the more difficult tasks. In the approach we have proposed there is

48

0

GUNTHER PERNUL

a distinction between two types of conflicts. Depending on the type, a conflict may be resolved automatically or may be designer notified, and a suitable resolution strategy then decided upon by the designer. Default Security Level. A set of classification constraints is complete if every piece of data has assigned to it a classification level via the classification constraints. In our approach completeness is enforced by ensuring that every piece of data has a default classification. The security level public cannot be assigned explicitly and instead is used as an initial classification in order to ensure completeness. If there are no further classification rules applicable for certain data, public has the semantic meaning that the data are not classified at all.

In the following discussion we present a taxonomy of security semantics consisting of the most common application-dependent requirements on multilevel security. Each requirement is formally defined, expressed in a security-constraint language (SCL), included explicitly in the notion of the ER model, and explicated by means of an example. We start with the basic concepts. An object type 0 is a semantic real-world concept that is described by certain properties. Using ER terminology, 0 might be an entity type, a specialization type, a generic object, or a relationship type. In security terminology, 0 is the target of protection and might be denoted O(A ...,A,,). A , (i = 1..n) is a characteristic property defined over a domain D i . Each security object must possess an identifying property A ( A C ( A ,...,A , ] ) which distinguishes instances (occurrences) u of 0 (0 = ( a l ,..., u,], ai E 0,) from others. Moving to a multilevel world the major question now is to decide how to assign the properties and occurrences of 0 to the correct security classifications. The process of assigning data items to security classifications is called classifyingand results into the transformation of a security object 0 into a multilevel security object W (0 =+ W ) .The transformation is performed by means of the security constraints. In the following we assume W is a flat table as in the definition of an MLS relation in the Jajodia-Sandhu model introduced in Subsection 2.2.2. Figure 6 contains graphical extensions which have been proposed for the Entity-Relationship model. Though very simple these extensions offer a powerful tool for representing very complex application-dependent security constraints. They are stated in terms of sentivity levels, ranges of sensitivity levels, security dependencies, predicates, and association-, aggregation-, and inference constraints. For the sake of simplicity, we distinguish only four different levels of sensitivity. If a finer granularity is required, the model can easily be extended to capture additional levels. A sensitivity level

DATABASE SECURITY

49

Secrecy Levels Ranges of Secrecy Levels

Association leading to S (NK .. near-key attribute:

Aggregation leading to T5 (N .. constant) Inference leading to Co Security dependency Evaluation of predicate P

I

[rJ.SI

[ Co..TS]

-@-0Y +3-

FIG. 6 . Graphical extensions to ER.

may be assigned to any structural concept of the ER model. If the occurrences of a security object are not uniformly labeled, a valid range of classifcations is indicated by placing corresponding abbreviations next to the concept. In this case the concept itself must show a level that is dominated by all classifications of the instances or properties of the security object. The concept of a security dependency is introduced to indicate the origin of a classification. Predicates are included to express constraints that are dependent on the content of the security objects. Predicates cannot be specified in the diagrammatic representation and are instead expressed by means of the security-constraint language SCL. Other graphical extensions will be discussed when introducing the corresponding classification constraints. The model we are proposing distinguishes between two types of security constraints, application-independent and application-dependent constraints. Application-independent constraints must be valid in every multilevel database, whereas application-dependent constraints are specified by the database designer. By following the proposed methodology the design of a multilevel database application becomes a two-phase activity. In a first design phase the designer specifies the application-dependent security requirements using ER modeling techniques together with SCL. In the

50

GUNTHER PERNUL

second phase the constraints are analyzed, inasmuch as the specified constraints may conflict with other constraints or may violate applicationindependent rules. In the semantic data model for multilevel security we are proposing, the final design step involves checking the constraints for conflicts, resolving conflicting constraints, and applying the nonconflicting constraint set to construct a conceptual representation of the multilevel application. Consistency and conflict management are discussed in Subsection 4.3 in more detail.

4.2 Classification Constraints In the following discussion we present a taxonomy of the most relevant security semantics that have to be expressed in a conceptual data model. These constraints were initially defined by Pernul et al. (1993). Two types of application-dependent classification constraints are distinguished: (a) constraints that classify the characteristic properties of security objects (simple, content-based, complex, and level-based constraints), and (b) constraints that classify retrieval results (association-based, inference, and aggregation constraints). The examples which we will consider focus on the Project-Employee database given in the Introduction. We assume the existence of a single category only and a list SL of four sensitivity levels, denoted SL = (TS,S, CoyU).Note that the default level public is not in SL and, therefore, may not be assigned except for initializing.

4.2.1 Simple Constraints Simple constraints classify certain characteristic properties of the security objects, for example, the characteristic property that employees have a salary (i.e., classifying property Salary) or the fact that employees are assigned to projects.

FIG. 7. Graphical representation of simple constraint.

DATABASE SECURITY

51

Definition. Let X be the set of characteristic properties of security object 0 (XC ( A , ...,A,]). A simple security property S i c is a classification of the form S i c ( O ( X ) )= C, (C E SL), and results in a multilevel object 0" ( A , , C , , ..., A , , C,, TC), where Ci= C for all A iE X , Ciis not changed if Ai e X . SCL predicate. S i c (0,X , C ) , where 0 is the security object under consideration, X the set of characteristic properties to be classified and C the desired security level. Example and graphical representation. The property function of Assignment is regarded as confidential information. S i c (Assignment, (Function), S )

4.2.2 Content-Based Constraints Content-based constraints classify characteristic properties of the security objects based on the evaluation of a predicate defined on specific properties of this object. Definition. Let Ai be a characteristic property of security object 0 with domain Di,P a predicate defined on A i , and X E ( A , , ...,A,). A content-based constraint CbC is a security classification of the form CbC ( o ( x ) , P : A i e a ) =c o r c ~ c ( o ( x ) , P : A ~ B A ~c) =(eEi=,#,,I,z), a E Di, i # j , C E SL). A predicate may be combined with other predicates by means of logical operators. For any instance o of security object O(A, , .. ., A,) for which a predicate evaluates true, a transformation to o(a,,c, , ...,a,, c, , tc) is performed. Classifications are assigned in such a way that ci = C if A iE X , ciotherwise not changed. SCL predicate. CBC (0,X , A , 8, V , C), where 0 is the security object under consideration, X the set of characteristic properties to be classified, A the evaluated characteristic property A i , B the comparison operator, V the comparison value a or characteristic property A j , and C the security level desired. Example and graphical representation. Properties SSN and Name of employees with a salary L 100 are treated as confidential information. CbC (Employee, (SSN, Name), Salary, 'L', 'loo', Co)

52

GUNTHER PERNUL

unctioi ubject alary

Assignment

FIG. 8. Graphical representation of content-based constraint.

4.2.3 Complex Constraints Complex security constraints relate to two different security objects participating in a dependency relationship. They are treated like contentbased constraints with the only difference the fact that the predicate is evaluated on a specific property of the independent security object yielding a classification of the properties of the associated dependent security object. Definition. Let 0, 0’ be two security objects and assume that the existence of an instance o of 0 is dependent on the existence of a corresponding occurrence 0’of 0’,where the k values of the identifying property K ‘ for 0’ are identical to k values of the characteristic properties of o (foreign key). Let P(0’) be a valid predicate (in the sense of the contentbased constraints) defined on 0‘and let X E ( A ,, ...,A,) be an attribute set of 0. A complex security constraint CoC is a security classification of the form CoC ( O ( X ) ,P ( 0 ’ ) )= C (C E SL). For every instance o of security object O(A , ...,A,) for which the predicate evaluates true in the related object 0’ of 0’, a transformation to o(al ,cl , ...,a,, c,, , tc) is performed. Classifications are assigned in such a way that ci = C if Ai E X , otherwise ci is unchanged.

,

SCL predicate. CoC (OD, X , 0, A , 8, V , C ) , where OD is the dependent security object under consideration, X the set of characteristic properties of OD which are to be classified, A the evaluated characteristic property A, of 0’,8 the comparison operator, V the comparison value a or characteristic property Aj of 0’,and C the security level desired.

Example and graphical representation. Individual assignment data (SSN) are regarded as secret information if the assignment refers to a project with Subject = ‘research’. CoC (Assignment, (SSN], Project, Subject, ‘ = ’, ‘Research’, S )

DATABASE SECURITY

53

FIG. 9. Graphical representation of complex constraint.

4.2.4 Level-Based Constraints Level-based security constraints are constraints classifying characteristic properties based on the classification of certain other properties of the same security object. This signifies that for all instances of a security object, the particular characteristic properties are always required to be at the same security level. Definition. Let level (Ai) be a function that returns the classification ciof the value of characteristic property A , in the object o ( a l ,c l , . ..,a,, c, , tc) of a multilevel security object 0".Let X be the set of characteristic properties of 0" such that x E ( A , ,. . . , A , ] . A level-based security constraint LbC is a classification of the form LbC(O(X))= level(Ai) and for every object o ( a , , cl, ..., a,, c,, tc) results in the assignment cj = ci if Aj E X .

SCL predicate. LbC (0,X , A ) , where 0 is the security object under consideration, X the set of characteristic properties to be classified, and A the governing characteristic property. Example and graphical representation. The Property Client of security object Project must always have the same classification as the property Subject of the Project.

LbC (Project, [Client], Subject) While the constraints which we have considered classify characteristic properties of security objects, the following additional constraints classify the retrieval results. This is necessary, since security may require that the sensitivity of the result of a query be different from the classifications of the constituent security objects. By this policy we respond to the logical association, aggregation, and logical inference problems.

54

GUNTHER PERNUL

Project

& FIG. 10. Graphical representation of level-based constraint.

4.2.5 Association-Based Constraints Association-based security constraints restrict against combining the value of certain characteristic properties with the identifying property of the security object in the retrieval result. This permits access to collective data but prevents the user from relating properties to individual instances of the security object. Definition. Let O(A,, ...,A,) be a security object with identifying property K. Let X C [ A ...,A,) ( K n X = [ )) be the set of characteristic properties of 0. An association-based security constraint AbC is a classification of the form AbC(O(K,X ) ) = C (C E SL) and results in the assignment of security level C to the retrieval result of each query that takes X together with the identifying property K.

SCL predicate. AbC (0,X,C ) , where 0 is the security object under consideration, X the set of characteristic properties to be classified when retrieved together with the identifying property, and C the security level.

L

FIG. 11. Graphical representation of association-based constraint.

DATABASE SECURITY

55

Example and graphical representation. The example considers the salary of an individual person as confidential while the value of salaries without information as to which employee gets what salary as unclassified. AbC (Employee, (Salary), Co)

4.2.6 Aggregation Constraints Under certain circumstances a combination of several inst nc of t h : same security object may be regarded as more sensitive than a query result consisting of a single instance only. This phenomenon is known as the aggregation problem. It occurs in cases where the number of instances of a query result exceeds some specified constant value. Definition. Let count(0) be a function that returns the number of instances referenced by a particular query and belonging to security object 0 ( A , , ...,A,,). Let X (X C ( A , , ...,A,)) be the sensitive characteristic properties of 0. An aggregation security constraint AgC is a statement of the form AgC (O,(X,count(0 > n)) = C (C E SL, n E N) and results in a classification C for the retrieval results of a query if count(0) > n, i.e., if the number of instances of 0 referenced by a query accessing properties X exceeds the value n. SCL predicate. AgC (0,X, N , C), where 0 is the security object under consideration, X the set of characteristic properties, N the specified value n, and C the security level of the corresponding queries.

Example and graphical representation. The information as to which employee is assigned to what projects is considered unclassified. However, aggregating all assignments for a certain project and, thereby, inferring

FIG. 12. Graphical representation of aggregation-based constraint.

56

GUNTHER PERNUL

which team (aggregate of assigned employees) is responsible for what project is considered secret. To treat this situation a maximum value of n = 3 should be specified. AgC (Assignment, (Title), '3', S )

4.2.6

Inference Constraints

Inference constraints restrict against the use of unclassified data to infer data which is classified. Inferences can occur because of hidden paths that are not explicitly represented in the conceptual data model of the multilevel application. The hidden paths may also involve knowledge from outside the database application domain. Definition. Let PO be the set of multilevel objects involved in a potential logical inference. Let 0, 0' be two particular objects from PO with corresponding multilevel representation 0 ( A , ,C , , ...,A , , C,, TC) and 0' ( A ; ,Ci, ..., A h , Ch, T C ' ) . Let X S ( A , , ...,A , ) and Y C (A\, ..., A h ] . A logical inference constraint rfC is a statement IfC ( O ( X ) ,O ' ( Y ) )= C and results in the assignment of security level C to the retrieval result of each query that takes Y together with the properties in X . SCL predicate. If C (01,X1, 02, X 2 , C ) , where 0 1 is the first security object involved, X1 the set of characteristic properties of 0 1 that might be used for logical inference, 0 2 the second security object, X 2 the attribute set of 02, and C the security level of the corresponding queries.

Example and graphical representation. As an example consider a situation in which the information as to which employee is assigned to what projects is considered confidential. Consider, further, that on the basis of access to the department which an employee works for and access to the

Fro. 13. Graphical representation of inference constraint.

DATABASE SECURITY

57

subject of a project, users (with certain knowledge from outside the system) may infer which department is responsible for the project, and, thus, can determine which employees are involved. The situation is modeled below. IfC (Employee, IDep], Project, (Subject], Co)

4.3

Consistency and Conflict Management

The classification constraints specified by the designer must be stored in a rule base. For complex applications it might be necessary to express a large set of security constraints at the conceptual database level. Verifying the consistency of the constraints is one of the more difficult design tasks. We propose that an automated tool which dynamically assists the designer in specification and refinement of the security constraints be applied here. The tool must ensure that the consistency of the rule base is satisfied whenever a classification constraint is updated or a new constraint inserted in the rule base. In the proposed conceptual model for multilevel security two types of conflicts are distinguished. The first type is concerned with conflicts among application-dependent and application-independent constraints. Because we are expressing the security semantics in the conceptual schema, application-independent multilevel constraints could be violated. In the proposed system, these conflicts are detected automatically, the conflicts are resolved, and, finally, the designer is notified. However, if an application-dependent security constraint is in conflict with an applicationindependent constraint, the designer does not have a chance to override the changes performed by the tool. The second kind of conflict deals with conflicting application-dependent security constraints. The designer is informed of such conflicts and then decides on the correct classification. As a default strategy, the tool suggests the maximum of the conflicting security levels to guarantee the highest degree of security possible. The following is the set of integrity constraints which the set of classification constraints must satisfy:

[Ill: Multilevel Integrity. Each property must have a security level. This is satisfied, since in initial classifying, all properties are assigned to the default security level. [I2]: Entity Integrity. All properties forming an identifying property must be uniformly classified and must be dominated by all the other classification of the object. The tuple-class must dominate all classifications. A multilevel security object 0" with identifying property K (apparent key) satisfies entity integrity property if for all occurrences

58

GUNTHER PERNUL

o ( q , c1 ,

...,a, ,c, ,tc) of 0"

1. A i , Aj E K * ci = cj 2. Ai E K , Aj 6 K * ci 5 cj 3. tc 2 ci (i = l..n).

[I3]: Foreign-Key Property. The level assigned to a foreign key must dominate the level of the corresponding identifying property. The foreign-key property guarantees that no dangling references between depending objects will occur. Let K be the identifying property in the multilevel security object 0" ( A , , C1, ...,A , , C, , TC) and let it be a foreign key K' in a dependent object 0'"( A ; , C ; , ...,A ; , CL, TC'). The foreign-key property is satisfied if, for any two dependent occurrences o(al ,cl, ...,a,, c, , tc) o f 0" and o'(ai ,c;, ...,a;, c;, t c ' ) of O'", Ai

E K,

A;

E

K' * ci 5 cj'.

[I4]: Near-Key Property. The near-key property is important if an association-based constraint A X (0,X , C ) is specified. In this case C is also propagated to each query that takes a near key instead of the identifying property of 0 together with the attribute set X . [IS]: Level-Based Property. In order to avoid transitive propagation of security levels between specified level-based constraints for any two constraints LbC(0, X , A ) and LbC(0,X ' , A ' ) A 6 X ' and A' 6 X must hold. Additionally, because of entity integrity, a LbC may not be defined on an attribute set including the identifying property. [I61: Multiple-Classification Property. Each value of a characteristic property may have only a single classification. If different security constraints assign more than one level to a particular property value, the conflict the designer must be notified. The designer then decides whether or not t o adopt the default resolution of the strategy.

4.4

Modeling the Example Application

Classifying is performed by stepwise insertion of security constraints into the rule base. Declaring a new constraint is an interactive process between tool and designer whereby each constraint is validated against the integrity constraints. If a conflict is detected which violates an application-independent integrity constraint, the constraint is enforced by propagating the required classification to the characteristic properties involved. If a conflict is due to multiple classification, the designer is told of the conflict and decides whether or not to adopt the default resolution strategy. Let us now apply the classification requirements to the sample design. For the sake of

DATABASE SECURITY

59

convenience, the corresponding rules specified in SCL are given below once again. 1. 2. 3.

S i c (Assignment, (Function], S ) CbC (Employee, (SSN, Name], Salary, ‘>’, ‘loo’, Co) CoC (Assignment, {SSN], Project, Subject, ‘=’, ‘Research’, S ) 4. LbC (Project, (Client], Subject) 5. AbC (Employee, (Salary], Co) 6. AgC (Assignment, [Title), ‘3’, S ) 7a. SIC (Assignment, (SSN, Title), Co) 7b. IfC (Employee, (Dep), Project, [Subject], Co) Classifying starts with the assignment of the default classification level to every characteristic property. Insertion of rule 1 results in the assignment of S to property Function. No conflicts result. Insertion of rule 2 leads to the assignment of the range [@..Co] to properties SSN and Name of Employee. That is, if the predicate evaluates true, Co is assigned to the properties, otherwise the classification remains public (denoted 0). Because of the application-independent integrity constraint, which specifies that the classification of the identifying property must be dominated by all other classifications of an object, the insertion of this CbC causes a violation of entity integrity. As a consequence, the classification range [ @..Co] is automatically propagated to the other properties of the object-type Employee as well. The identifying property of Employee (i.e., SSN) is also a foreign key in Assignment. Because of the foreign-key property, [@..Co] must also be propagated to SSN of Assignment. There, classifying SSN with [ 0. .Co] violates entity integrity, causing, first, propagation of [@..Co]of the property Title (the key must be uniformly classified) and, second, propagation of [ 0. .Co] to the property Date and Function as well (all other classifications must dominate the key). Since property Function is already assigned to S , the first conflict arises and is told to the designer. Let us assume the designer confirms the suggested classification and Function remains classified at S . No further conflicts arise. The complex security constraint specified as rule 3 states that SSN of Assignment is considered at S if an assignment refers to a project with Subject = ‘research’. Insertion of the constraint in the rule base causes a multiple-classification conflict, because [ 0.. Co] is already assigned to SSN of Assignment. Let us assume that the designer accepts the suggested default resolution strategy, so that [ @ . . S ] is assigned to SSN. Since the key must be uniformly classified, this causes a conflict with entity integrity and [ @ . . S ] is propagated to property Title as well. Because of the demand that

60

GUNTHER PERNUL

FIG. 14. State of design following application of constraint 3.

classification of an identifying property must dominate all other classifications of the object, [@..S] is also propagated to Date and Function. . S ] to attribute Function causes a multiple-classification Propagating [ 0. conflict. This is because rule 1 already has assigned a classification S . The designer is notified of the conflict. Let us assume that the designer confirms the suggested default resolution strategy and S remains assigned. Figure 14 shows the state of design after conflict resolution and before insertion of constraint 4. Introducing the level-based constraint specified in rule 4 does not cause any conflicts. Inserting the association-based constraint specified in rule 5 causes a violation of the near-key integrity property. The conflict is resolved by including the near-key integrity property in the constraint. Inserting rule 6 does not cause any conflicts. Rule 7a leads to multiple classification because SSN and Title of Assignment are already classified at [ @ . . S ] . Let us assume that the designer accepts the default conflictresolution strategy [Co..S]. Because of the need to enforce entity integrity this causes propagation of [Co..S] to all the other properties of Assignment as well. In the case of the property Function, a conflict arises because Function is already assigned to S . We again assume that the designer has accepted the suggested resolution strategy. Finally, the inference constraint (rule 7b) which classifies certain query results is included in the conceptual model. Figure 15 gives a graphical representation of the conceptual data model of the sample multilevel application following classification and conflict resolution. An optional implementation of the graphical browser should provide a tracing facility, giving the designer the ability to trace back all the classification steps which have led to certain classifications. The contribution of this section is to develop a semantic data model for multilevel security. The model provides an integrated approach for modeling both the data and the security semantics of a database application. The proposal made in this section extends previous work on semantic modeling of sensitive information by carefully defining the security semantics

DATABASE SECURITY

61

FIG. 15. Conceptual model of the sample database.

considered, providing a constraint language and a graphical notion to express the semantics in a conceptual model, and developing consistency criteria which the set of specified classification constraints must satisfy. The technique can be extended in several directions. In the case of certain database applications, for example, it may also be necessary to model the dynamic aspects of information. A first step in this direction has already been taken by Burns (1992) and Pernul (1992b). The model also has to be completely implemented. So far the implementation is only at the prototype level and covers only the constraints language SCL and conflict management. Implementation of the graphical browser is left for further study. Another important issue to the database community is deciding when to enforce the security constraints represented in the conceptual representation of the database. In general, security constraints may be enforced during database update, during query processing, as well as during database design. If the constraints are handled during database update, they are treated by DMBS like the integrity constraints. If they are enforced during query processing, they may be treated like the derivation rules, that is, employed to assign classifications before data is released from the DBMS domain to the user domain. Finally, if they are handled during the database design phase, they must be properly represented in the database structure and in the metadata. Deciding when to enforce the constraints may depend on the type of constraint being considered. However, it is important to note that enforcing the constraints during query processing or during database update will strongly influence the performance of the database. From this point of view as many constraints as possible should be enforced during the design of the database. The technique proposed in this section serves as a valuable starting point for a logical design stage during which the conceptual representation of the database is transferred into a target data model, for example, the multilevel relational data model.

62

GUNTHER PERNUL

5.

Standardization and Evaluation Efforts

Database security (and computer security in general) is currently subject to intensive national and international standardization and evaluation efforts. The efforts have as their goal the development of metrics for use in evaluating the degree of trust that can be placed in computer products used to process sensitive information. By “degree of trust,” we understand the level of assurance that the security enforcing functions of a system are working properly. The efforts have all been based on the “Orange Book” criteria (TCSEC, 1985) issued by the U.S. National Computing Security Center (NCSC). Since then, the criteria have been used to evaluate products in the U.S. and in many other countries as well. Shortly after its release, the Orange Book was criticized because of its orientation towards confidentiality and secrecy issues and because its main focus was on centralized computer systems and operating systems. As a consequence, NCSC has issued two interpretations of the Orange Book, the “Red Book,” an interpretation for networks, and the “Purple Book” (TDI, 1990), an interpretation for databases. Together with other documents issued by NCSC, the standards are known as the “rainbow series” because of the color of their title pages. Within Europe there have been a number of national initiatives in the development of security evaluation criteria. Recognizing the common interest and similar principles underlying their efforts, four European countries (France, Germany, Netherlands, and the United Kingdom) have cooperated in the development of a single set of harmonized criteria issued by the Commission of the European Communities (ITSEC, 1991). Besides these efforts, criteria sets have also been published in Canada and Sweden. Because of the ongoing internationalization of the computer product market, there is a strong demand on the part of industry for establishing harmonization between TCSEC, ITSEC, and the other proposals. A first step in this direction were the studies performed as part of the US Federal Criteria Project, currently a draft under public review. In the following discussion we will briefly review the basic concepts of the Orange Book and show how they relate to corresponding concepts in ITSEC. TCSEC defines four hierarchically ordered divisions (D, C, B, A) of evaluation classes. Within each of the division may be found one or more hierarchical classes. Figure 16, taken from the Orange Book, contains a detailed representation of this packaging. D-level criteria relate to all systems and products that cannot be evaluated at higher levels of trust. D-level requires no security features. Systems rated at a C-level Support DAC, which includes the support of identification, authentication, and auditing functions. At C1, DAC-based

DATABASE SECURITY

63

C I Cz B , Bz B, A, Discretionary access control Object reuse Labels Label integrity Exportation of labelled information Exportation of multilevel devices Security polic) Exportation of single-level devices Labelling human-readable output Mandatory access controls Subject sensitivity labels Device labels Identificabon and authentication Accountability Audit Trusted paths System architecture System integrity 0 Security testing 0 Design specification and verification 0 Assurance Covert channel analysis Trusted facility management Configuration management Trusted recovery Trusted distribution Security features user’s guide 0 Trusted facility manual Docunientatior Test documentation, 0 Design documentauon I

00 0 0 0 0

0 No additional requirements for this class 0 New or enhanced requirements for this class No requirements for this class

Ftc. 16. Trusted Computer Security Evaluation Criteria summary chart. (NCSC-TCSEC, 1985).

protection must only be provided at a user-group level, while for C 2 , protection at the individual user level is required. Most commercially available general-purpose DBMS products are evaluated at C2. At the B-level criteria, security labels and mandatory access controls are introduced. Enhancing existing DBMSs with add-on security packages may result in evaluation at B, , whereas for B, and above the system must have been designed with security already in mind. At B2 emphasis is on assurance. For this purpose a formal security policy model must be developed, the role of a system administrator and an operator introduced, and security-relevant code separated into a TCB. B, requires an increased level of assurance, achieved by a greater amount of testing and placing great emphasis on auditing. Emphasis at B, is also directed toward minimizing and simplifying TCB code. The A, evaluation class is, in terms of functionality, identical to B,, though it requires formal techniques to exhibit and prove consistency

64

GUNTHER PERNUL

between the specification and the formal security policy. It is not required to prove the source code against the specification and against the formal security policy. The systems discussed in Section 3 were developed with the aim of obtaining evaluation at the A, level, whereas most commercial DBMS systems that support a mandatory security policy have been evaluated at the B, or B, level. A number of deficiencies in TCSEC have been pointed out by several researchers (for example, Neumann, 1992). Besides the fact that distributed systems are not adequately covered (although the Red Book provides some guidelines) it has been noted that The primary focus of TCSEC is on confidentiality. Integrity and availability are not treated adequately. a Authentication considers only passwords. More advanced techniques are not included. 0 TCSEC provides inadequate defence against pest programs (Neumann, 1990). 0 Auditing data (and its real-time analysis) can provide an important aid in protecting against vulnerabilities. This is not considered in the criteria. 0

ITSEC has been developed with some of the deficiencies of TCSEC in mind and is intended as a superset of TCSEC. It defines security as consisting in a combination of confidentiality, integrity, and availability, and distinguishes between two kinds of criteria: a functional criteria of ten hierarchically ordered divisions and a correctness criteria of seven divisions. Both criteria are evaluated separately. The functional criteria are used to evaluate the security enforcing functions of a system. The functional criteria have been developed within the German national criteria project. The first five functionality divisions correspond closely to the functionality classes of TCSEC while the remaining five are intended as examples to demonstrate common requirements for particular types of systems. The correctness criteria represent seven levels of assurance as regards the correctness of the security features. They correspond roughly to the assurance levels of TCSEC and cumulatively require testing, configuration control, access to design specification and source code, vulnerability analysis, and formal and informal verification of the correspondence between specification, security model, and source code. Figure 17 relates the functional and correctness criteria of ITSEC to the corresponding evaluation classes of TCSEC. Although it is commonly agreed that the evaluation criteria are a first step in the right direction, the market for commercial evaluation is still not fully

65

DATABASE SECURITY

-1.c s 1; c

I '1. s IIC runciional corrcclncss

F-C 1 I:-c2

I:-u I F-B2 1:- u 3 IT-U3

I0 I' I

evalualion

* =3

I) CI

t:2 1 3

3 =3

c2 UI

114

=3

B2

IJS

3

II6

=3

I33 /\I

FIG. 17. Correspondence between ITSEC and TCSEC.

developed. The existence of at least seven sets of evaluation criteria from different countries has produced an unwillingness on the part of developers to permit their products to be subjected to an evaluation process. However, it is commonly agreed that efforts at making the different criteria compatible, together with growing number of evaluated products and the increasing number of customers showing a preference for evaluated products, may generate further interest among the public and society at large in database security (and computer security in general) and security evaluation.

6.

Future Directions in Database Security Research

The field of database security has been active for almost twenty years. During early stages of research the focus was directed principally towards the discretionary aspect of database security, i.e., different forms of access control lists and view-based protection issues. Later the focus shifted towards mandatory controls, integrity issues, and security mechanisms fine-tuned to provide privacy. The major current trends are to provide tools that support the designer during the different database design phases that entail securitycritical contents, to develop security semantics and classification constraints, to investigate the use of rules and triggers for various problems related to database security, to extend security issues to other data models, for example, distributed and heterogeneous databases, and to investigate in the course of physical design such questions as transaction and recovery management as well as development of storage structures whose main focus is on the support of security. We now would like to outline what we believe will be the various directions the entire field will follow over the next few years.

66

GUNTHER PERNUL

System architecture of mandatory systems. Most DBMSs supporting MAC are based on the principles of balanced assurance and TCB subsetting. As a result, DBMS is hosted on a TCB which is responsible for identification, user authentication, and mandatory access controls. Multilevel relations are only supported at an external level and the entire database is decomposed into single-level fragments which are stored using the storage manager of a general-purpose DBMS product. We believe this approach has several practical advantages but represents only a near-term solution to database security. What is needed in the near future are data models, storage structures, and transaction and recovery management procedures specially suited for the use in DBMSs with a high degree of trust in their security features. A first step in this direction has already been taken in the case of secure transaction management (for example, Kogan and Jajodia, 1990, or Kang and Keefe, 1992a) and recovery management (Kang and Keefe, 1992b). Formal specification and verification MLS DBMSs. Assurance that the security features of a DBMS are working properly is required for DBMSs that contain databases with security-critical content. This entails a formal specification and verification of the DBMS specifications, the DBMS architecture, the DBMS implementation, as well as the design and implementation of the particular database application. So far, there is not much work on this topic and only very little experience in the use of existing systems and techniques to formally specify and verify databases. A natural next step would be to adopt existing techniques and use them for designing and implementing secure databases. A very good discussion on the pros and cons of formal methods within the framework of safety-critical systems is that of McDermid (1993). Evaluation criteria. It is commonly agreed that the evaluation criteria represent a first step in the right direction. However, since the international field of information technology providers will not be able to evaluate their products against different criteria in different countries, all the various criteria will have to be merged. Mutual recognition of the security certifications and evaluations of different countries is also necessary. Moreover, as technology evolves, the concept of security will have to be extended to an open, heterogeneous, multi-vendor environment. In the future, systems will have to be considered for evaluation that differ from what we are familiar with today. For example, object-oriented systems, knowledge-based systems, active systems, multimedia systems, or hypertext may become candidates for evaluation. To cover future development, criteria must be open-ended and, thereby, address the needs of new information technology environments which have yet to be explored.

DATABASE SECURITY

67

Extending security to nonrelational data models. It is only recently that security has been discussed in the context of nonrelational data models. Preliminary work has begun on the development of security models for object-oriented databases (for multilevel approaches, see Keefe et al., 1989, Jajodia and Kogan, 1990, Thuraisingham, 1992, and Millen and Lunt, 1992; for discretionary models, see Fernandez et al., 1989, Rabitti et al., 1989, and Fernandez et al., 1993); for knowledge-based systems, see Morgenstern, 1987, and Thuraisingham, 1990; for multimedia databases, see Thuraisingham, 1991; and for hypertext, see Merkl and Pernul, 1994). So far, the Personal Knowledge Approach is the only data model that was initially developed with the main goal of meeting security requirements. All the other approaches have adopted existing data models for use in securitycritical environments. It is expected that further research will lead to new data models in which security is among the major design decisions. Research issues in discretionary security. The presence of more advanced data models, for example, the object-oriented data model, has renewed interest in discretionary access controls. Further research issues include explicit negative authorization, group authorization, propagation of authorization, propagation of revocations, authorizations on methods and functions, and the support of roles. Design aids and tool. Future research is necessary for the development of aids and tools to support the designer during the different phases involved in the design of a database with security-critical content. Research is needed in an integrated fashion and must span requirements analysis, conceptual and logical design, security semantics, and integrity rules, as well as prototyping, testing, and benchmarking. Aids, guidelines, and tools are needed for both discretionary and mandatory protected databases. Extending security to distributed and heterogeneous databases. Distribution adds a further dimension to security because distributed systems are vulnerable to a number of additional security attacks, for example, data communication attacks. Even more complicated is the case in which heterogeneous DBMSs are chosen to form a federation. Since the participating component databases continue to operate autonomously and the security mechanisms may differ between the sites, additional security gateways and controls may be necessary. The steps involved in building a secure distributed heterogeneous DBMS are by no means straightforward and some researchers believe that, given the current state of the art of both database security and federated database technology, such a DBMS is not even possible.

68

GUNTHER PERNUL

Security and privacy. Addressing security and privacy themes must remain a future topic of database research. Security and privacy is among the most important topics in medical informatics, for example, in integrated hospital information systems. In numerous medical venues computerized information systems have been introduced with little regard to security and privacy controls. It is a future challenge to database security to cope with the availability, confidentiality, and privacy of computer-based patient records in the near future.

7 . Conclusions In the present essay we have proposed models and techniques which provide a conceptual framework in the effort to counter the possible threats to database security. Emphasis has been given to techniques primarily intended to assure a certain degree of confidentiality, integrity, and availability of the data. Privacy and related legal issues of database security were also discussed, though not as fully. Although our main focus was on the technological issues involved in protecting a database, it should be recognized that database security includes organizational, personnel, and administrative security issues as well. Database security is not an isolated problem-in its broadest sense it is a total system problem. Database security depends not only on the choice of a particular DBMS product or on the support of a certain security model, but also on the operating environment and the people involved. Although not discussed, further database security issues include requirements on the operating system, network security, add-on security packages, data encryption, security in statistical databases, hardware protection, software verification, and others. There is a growing interest in database security and the approaches which we have reported demonstrate the considerable success which has been achieved in developing solutions to the problems involved. Public interest has increased dramatically, though it is only recently that the issue of security outside the research community has begun to receive the attention which its importance warrants. Though database security has been a subject of intensive research for almost two decades it is still one of the major and fascinating research areas. It is expected that changing technology will introduce new vulnerabilities to database security. Together with problems that have yet to be fully solved, the field of database security promises to remain an important area of future research.

DATABASE SECURITY

69

ACKNOWLEDGMENTS I wish to acknowledge the many discussions that 1 have had on the AMAC security technique and on the conceptual modeling of sensitive information with Kamal Karlapalem, Stefan Vieweg, and Werner Winiwarter. In particular, I wish to thank A Min Tjoa and Dieter Merkl for their many fruitful comments.

References Batini, C., Ceri, S., and Navathe, S. B. (1992). “Conceptual Database Design: An EntityRelationship Approach.” BenjaminICummings, Reading, Massachusetts. Bell, D. E. and LaPadula, L. J. (1976). “Secure Computer System: Unified Exposition and Multics Interpretation.” Technical Report MTR-2997. MITRE Corp., Bedford, Massachusetts. Biba, K. J . (1977). “Integrity Considerations for Secure Computer Systems.” ESD-TR-76372, USAF Electronic Systems Division. Biskup, J. (1990). “A General Framework for Database Security.” Proc. European Symp. Research in Computer Security (ESORICS ’90), Toulouse, France. Biskup, J. and Briiggemann, H. H. (1988). The Personal Model of Data: Towards a PrivacyOriented Information System. Computers & Security, 7 , North-Holland (Elsevier). Biskup, J., and Bruggemann, H. H. (1989). The Personal Model of Data: Towards a PrivacyOriented Information System (extended abstract). Proc. 5th Int’l Conf. on Data Engineering (ICDE ’89). IEEE Computer Society Press. Biskup, J . and Bruggemann, H. H. (1991). Das datenschutzorientierte Informationssystem DORIS: Stand der Entwicklung und Ausblick. Proc. 2. GI-Fachtagung “VerlaJliche Informationssysteme (VIS ’91). IFB 271, Springer-Verlag. Burns, R. K. (1992). A Conceptual Model for Multilevel Database Design. Proc. 5th Rome Laboratory Database Workshop, Oct. 1992. Chen, P. P. (1976). The Entity Relationship Model: Towards a Unified View of Data. ACM Trans. Database Systems (TODS), 1(1). Clark, D. D. and Wilson, D. R. (1987). A Comparison of Commercial and Military Computer Security Policies. Proc. 1987 Symp. “Research in Security and Privacy. ” IEEE Computer Society Press. Codd, E. F. (1970). A relational model for large shared data banks. Comm. ACM, 13(6). Cuppens, F. and Yazdanian, K. (1992). A “Natural” Decomposition of Multi-level Relations. Proc. 1992 Symp. Research in Security and Privacy. IEEE Computer Society Press. Denning, D. E. (1988). Database Security. Ann. Rev. Comput. Sci. 3. Denning, D. E., Lunt, T. F., Schell, R. R., Heckman, M., and Shockley, W. R. (1987). A multilevel relational data model. Proc. 1987 Symp. Research in Security and Privacy. IEEE Computer Society Press. Denning, D. E., Lunt, T. F., Schell, R. R., Shockley, W. R., and Heckman, M. (1988). The SeaView Security Model. Proc. 1988 Symp. Research in Security and Privacy. IEEE Computer Society Press. Elmasri, R. and Navathe, S. B. (1989). “Fundamentals of Database Systems.” Benjamin/ Cummings, Reading, Massachusetts. Fernandez, E. B., Summers, R. C., and Wood, C. (1981). “Database Security and Integrity.” (System Programing Series) Addison-Wesley , Reading, Massachusetts.

70

GUNTHER PERNUL

Fernandez, E. B., Gudes, E., and Song, H. (1989). A Security Model for Object-Oriented Databases. Proc. 1989 Symp. Research in Security and Privacy. IEEE Computer Society Press. Fernandez, E. B., Guides, E., and Song, H. (1993). AModel for Evaluation and Administration of Security in Object-Oriented Databases. IEEE Trans. Knowledge and Data Engineering (forthcoming). Fugini, M. G. (1988). Secure Database Development Methodologies. I n “Database Security: Status and Prospects,” C. Landwehr, ed. North-Holland (Elsevier). Garvey, C. and Wu A. (1988). ASD-Views. Proc. 1988 Symp. Research in Security and Privacy. IEEE Computer Society Press. Graham, G. S. and Denning, P. J. (1972). Protection Principles and Practices. Proc. AFIPS Spring Joint Computer Conference. Griffiths, P. P. and Wade, B. W. (1976). An authorization mechanism for a relational database system. ACM Trans. Database Systems (TODS) l(3). Haigh, J. T., O’Brien, R. C., Stachour, P. D., and Toups, D. L. (1990). The LDV Approach to Database Security “Database Security 111: Status and Prospects,” D. L. Spooner and C. Ladwehr, eds. North Holland (Elsevier). Harrison, M. A., Ruzo, W. L., and Ullman, J. D. (1976). Protection in operating systems. Comm. ACM 19(8). Hinke, T. H., Garvey, C., and Wu A. (1992). A1 Secure DBMS Architecture. I n “Research Directions in Database Security,” T. F. Lund, ed. Springer-Verlag. ITSEC (1991). Information Technology Security Evaluation Criteria (ITSEC). Provisional Harmonized Criteria, COM(90) 314. Commission of the European Communities. Jajodia, S. and Kogan, B. (1990). Integrating an Object-Oriented Data Model with Multilevel Security. Proc. 1990 Symp. Research in Security and Privacy. IEEE Computer Society Press. Jajodia, S. and Sandhu, R. (1990a). Database Security: Current Status and Key Issues. ACM SIGMOD Record 19(4). Jajodia, S . and Sandhu, R. (1990b). Polyinstantiation Integrity in Multilevel Relations. Proc. 1990 Symp. Research in Security and Privacy. IEEE Computer Society Press. Jajodia, S., Sandhu, R., and Sibley, E. (1990). Update Semantics of Multilevel Secure Relations. Proc. 6th Ann. Comp. Security Application Conf. (ACSAC ’90). IEEE Computer Society Press. Jajodia, S. and Sandhu, R. (1991a). Toward a multilevel secure relational data model. Proc. ACM SIGMOD Conf. Denver, Colorado. Jajodia, S. and Sandhu, R. (1991b). A Novel Decomposition of Multilevel Relations into Single-Level Relations. Proc. 1991 Symp. Research in Security and Privacy. IEEE Computer Society Press. Jajodia, S. and Mukkamala, R. (1991). Effects of the SeaView decomposition of multilevel relations on database performance. Proc. 5th IFIP WG 11.3 Conf. Database Security. Stepherdstown, West Virginia. Kang, 1. E. and Keefe, T. F. (1992a). On Transaction Processing for Multilevel Secure Replicated Databases. Proc. European Symp. Research in Computer Security (ESORICS ’92). LNCS 648, Springer-Verlag. Kang, 1. E. and Keefe, T. F. (1992b). Recovery Management for Multilevel Secure Database Systems. Proc. 6th IFIP WG 11.3 Conf, on Database Security. Vancouver, British Columbia. Keefe, T. F., Tsai, W. T., and Thuraisingham, M. B. (1989). Soda-A secure Object-Oriented Database System. Computers & Security B(5). North-Holland (Elsevier). Kogan, B. and Jajodia, S. (1990). Concurrency Control in Multilevel Secure Databases using the Replicated Architecture. Proc. ACM SIGMOD Conf. Portland, Oregon.

DATABASE SECURITY

71

Lampson, B. W. (1971). Protection. Proc. 5th Princeton Conf. Information and Systems Sciences. Lampson, B. W. (1973). A Note on the Confinement Problem. Comm. ACM 16(10). Landwehr, C. E. (1981). Formal Models of Computer Security. ACM Cornp. Surveys 13(3). Lunt, T. F., Schell, R. R., Shockley, W. R., and Warren, D. (1988). Toward a multilevel relational data language. Proc. 4th Ann. Comp. Security Application Conf. (ACSAC ’88). IEEE Computer Society Press. Lunt, T. F., Denning, D. E., Schell, R. R., Heckman, M., and Shockley, W. R. (1990). The SeaView Security Model. IEEE Trans. Software Engineering (ToSE) 16(6). Lunt, T. F. and Fernandez, E. B. (1990). Database Security. ACM SIGMOD Record 19(4). McDermid, J. A. (1993). Formal Methods: Use and Relevance for the Development of Safety-critical Systems. I n “Safety Aspects of Computer Control,” P. Bennett, ed. Butterworth-Heinemann. Merkl, D. and Pernul G. (1994). Security for Next Generation of Hypertext Systems. Hypermedia 6(1) (forthcoming). Taylor Graham. Millen, J . K. (1989). Models of Multilevel Computer Security. Advances in Computers 29 (M. C. Yovitis, ed.). Academic. Millen, J. K. and Lunt, T. F. (1992). Security for Object-Oriented Database Systems. Proc. 1992 Syrnp. Research in Security and Privacy. IEEE Computer Society Press. Morgenstern, M. (1987). Security and Inference in Multilevel Database and Knowledge-based Systems. proc. ACM SIGMOD Conf. San Francisco, California. Navathe, S. B. and Pernul, G. (1992). Conceptual and Logical Design of Relational Databases. Advances in Computers 35 (M. C. Yovitis, ed.). Academic Press. Neumann, P. G. (1990). Rainbow and Arrows: How the Security Criteria Address Computer Misuse. Proc. 13th National Computer Security Conference. IEEE Computer Society Press. Neumann, P. G. (1992). Trusted Systems. In “Computer Security Reference Book,” K. M. Jackson and J. Hruska, eds. Butterworth-Heinemann. Pernul, G. and Tjoa, A. M. (1991). A View Integration Approach for the Design of Multilevel Secure Databases. Proc. 10th Int’l Conf. Entity-Relationship Approach (ER ’91). San Mateo, California. Pernul, G. and Luef, G. (1991). A Multilevel Secure Relational Data Model Based on Views. Proc. 7th Ann. Cornp. Security Applications Conf. (ACSAC ’91). IEEE Computer Society Press. Pernul, G. (1992a). Security Constraint Processing in Multilevel Secure AMAC Schemata. Proc, European Symp. Research in Computer Security (ESORICS ’92). LNCS 648, Springer-Verlag. Pernul, G. (1992b). Security Constraint Processing During MLS Database Design. Proc. 8th Ann. Comp. Security Applications Conf. (ACSAC ’92). IEEE Computer Society Press. Pernul, G. and Luef, G. (1992). A Bibliography on Database Security. ACMSIGMOD Record 21(1).

Pernul, G . and Tjoa, A. M. (1992). Security Policies for Databases. Proc. IFACSyrnp. Safety and Security of Computer Systems (SAFECOMP ’92). Pergamon Press. Pernul, G., Winiwarter, W., and Tjoa, A. M. (1993). The Entity-Relationship Model for Multilevel Security. Institut fur Angewandte Informatik und Informationssysteme. Universitat Wien. Rabitti, F., Bertino, E., Kim, W., and Woelk, D. (1991). A Model of Authorization for Nextgeneration Database Systems. ACM Trans. Database Systems (TODS) 16(1). Rochlis, J. A. and Eichin, M. W. (1989). With Microscope and Tweezers: The Worm from MIT’s Perspective. Comm. ACM 32(6).

72

GUNTHER PERNUL

Schell, R. R., Tao, T. F.,and Heckman, M. (1985). Designing the Gemsos Security Kernel for Security and Performance. Proc. 8th Nat’l. Computer Security Conference. IEEE Computer Society Press. Sell, P. J. (1992). The SPEAR Data Design Method. Proc. 6th IFIP WG 11.3 Conf. Database Security. Burnaby, British Columbia. Smith, G. W. (1990a). The Semantic Data Model for Security: Representing the Security Semantics of an Application. Proc. 6th Int’l Conf. Data Engineering (ICDE ’90). IEEE Computer Society Press. Smith, G. W. (1990b). Modeling Security Relevant Data Semantics. Proc. 1990 Symp. Research in Security and Privacy. IEEE Computer Society Press. Smith, K., and Winslett, M. (1992). Entity Modeling in the MLS Relational Model. Proc. 18th Conf. Very Large Databases (VLDB ’92). Stachour. P. D. and Thuraisingham, B. (1990). Design of LDV: A Multilevel Secure Relational Database Management System. IEEE Trans. KDE 2(2). Stoll. C. (1988). Stalking the Wily Hacker. Comm. ACM 31(5). Stonebraker, M. and Rubinstein, P. (1976). The Ingres Protection System. Proc. 1976 ACM Annual Conference. TCSEC (1985). Trusted Computer System Evaluation Criteria. (Orange Book). National Computer Security Center, DOD 5200.28-STD. TDI (1990). Trusted Database Interpretation of the Trusted Computer System Evaluation Criteria. NCSC-TG-021. Version 1. Thompson, K. (1984). Reflections on Trusting Trust. Comm. ACM 27(8). (Also in ACM Turing Award Lectures: The First Twenty years 1965-1985. ACM Press.) Thomsen, D. J. and Haigh, J. T. (1990). A Comparison of Type Enforcement and Unix Setuid Implementation of Well-Formed Transactions. Proc. 6th Ann. Comp. Security Applications Conf. (ACSAC ’90). IEEE Computer Society Press. Thuraisingham, M. B. (1990). Towards the design of a secure data/knowledge base management system. Data & Knowledge Engineering 5(1), North-Holland (Elsevier). Thuraisingham, M. B. (1991). Multilevel Security for Multimedia Database Systems. I n “Database Security: Status and Prospects IV,” S. Jajodia and C. E. Landwehr, eds. North-Holland (Elsevier). Thuraisingham, M. B. (1992). Multilevel Secure Object-Oriented Data Model-Issues on noncomposite objects, composite objects, and versioning. JOOP, SIGS Publications. Wilson, J. (1988). A Security Policy for an A l DBMS (a Trusted Subject). Proc. 1988 Symp. Research in Security and Privacy. IEEE Computer Society Press. Wiseman, S. (1991). Abstract and Concrete Models for Secure Database Applications. Proc. 5th IFIP WG 11.3 Conf. Database Security. Stepherdstown, West Virginia.

Functional Representation and Causal Processes B. CHANDRASEKARAN Laboratory for A1 Research The Ohio Stare University Columbus. Ohio

1 . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. Human Reasoning about the Physical World . . . . . . . . . . . . . . . . 2.1 Human Qualitative Reasoning . . . . . . . . . . . . . . . . . . . . . 2.2 Modeling and Prediction . . . . . . . . . . . . . . . . . . . . . . . 3 . Historical Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Need for “Models” in Diagnostic Reasoning . . . . . . . . . . . . . . 3.2 Causal Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Qualitative Device Models . . . . . . . . . . . . . . . . . . . . . . 4 . Functional Representation . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Informal Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Components of FR . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Remarks on FR . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Applications of FR . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Generating FRs for New Devices . . . . . . . . . . . . . . . . . . . 4.6 Generalization to Nondynamic Causal Structures . . . . . . . . . . . . 5 . Relatedwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 A Research Agenda . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Logic of Understanding . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Rich Variety of Reasoning Phenomena . . . . . . . . . . . . . . . . . Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73 76 76 77 80 80 81 82 84 85 89 99 102 127 129 131 133 133 137 137 138 138

1. Introduction Cognitive agents that are organized to achieve goals in the world have three fundamental activities to perform. as illustrated in Fig . 1.

.

Making sense of the world Using sensors and other information (including knowledge in memory). the agents have to form a theory of the world. about what is out there and how it works . This task has a number of different subtasks: sensory processing. forming a perception at the right ADVANCES

IN COMPUTERS. VOL . 38

73

Copyright 0 1994 by Academic Press. Inc. All righls of reproduction in any form reserved.

ISBN 0-12-012138-7

74

6.CHANDRASEKARAN

y F :s o ;a s i

aking sense of the

”

Predict consequences of hypothetical actions

FIG. 1. Some subtasks for a cognitive agent.

level of abstraction that relates to the goals, and constructing an explanation of what is going on in the world. In this paper we are concerned with the form such explanations often take. Specifically, we propose that such explanations often take the form of a certain type of causal story, and the elements in the story are linked together following specific rules of composition. Planning actions to achieve goals. The agent has to embark on actions on the world in order to achieve goals. One technique that is commonly employed is for the agent to synthesize a plan, a sequence of intended actions. Knowledge about the state and causal properties of the world is needed to generate the plans. In particular, causal stories can be inverted to reason from desired states to the actions that are likely to produce them. Predicting consequences. A common subtask in planning is to predict the consequences of proposed actions in order to check that desired consequences arise and undesired consequences do not. A common subtask of “making sense of the world” is to evalute hypotheses about states of the world by predicting the consequences of that state and checking to see if the consequences are indeed true in the world. If the predicted consequences are true, the particular hypothesis of the state of the world is given a higher plausibility. Thus prediction is an important and ubiquitous cognitive activity. Causal models play a role in prediction as well. Forming causal models of the world and using them for prediction, planning, and the formation of additional causal models are thus important activities of cognitive agents. The major goal of this paper is to review a theory about what form such causal models take and how they can be used for various problem-solving purposes. An important underlying idea is that

FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES

75

causal understanding of the world doesn’t come simply in the form of “facts” about the world-i.e., as proportions or causal rules-but in the form of causal packages that are organized from specific perspectives and point to other causal packages. The work we shall be reviewing is based on the idea that these packages are basic units of comprehension and prediction. The functional representation (FR) theory is a proposal about the logical structure, representation, and use of such causal packages. This article brings together work that has been developed and published in the last decade by a number of researchers. The study of causality has many dimensions, and also has an illustrious history in philosophy. It is important to be clear about what aspects of the construction of causal models are relevant to our purposes here. One major stream of philosophical work on causality grapples with the semantics of the term “cause,” i.e., exactly what it means to say “A causes B,” or, equivalently, the necessary and sufficient conditions on A and B for us to assert that “A causes B.” There continue to be different points of view on this issue, but this is not something we will be concerned with in this paper. A second stream takes one or another meaning of causality as given, and seeks to give computational formalisms for deciding if A causes B. In AI, Pearl and Verma (1991), for example, have adopted a probabilistic interpretation of causality, and they then go on to propose a Bayesian technique for computing the likelihood that A causes B. Our work is not concerned with formalizing the semantics of “cause.” We take “cause” as a primitive. Our representations already start with some knowledge of causes, and we strive to build other causal relations from this. Nor is our work concerned with quantification of the probabilities of causation. For now we take our causation to be deterministic. The research reported here has the goal of elaborating a theory of representation of causal processes and using the representational framework for problem solving of various sorts. What is the connection between functions of devices and causal processes? So far I have been talking only about causal packages, without any mention of function. In the domain of devices, causal representation and reasoning serve several purposes. In design, the goal is to organize components in such a way that the causal processes which result cause the intended function to be achieved. In diagnosis, the causal process is analyzed to see why the intended function is not being achieved. Thus, understanding how to represent causal processes in general is a prerequisite for reasoning about the functions of devices. In reasoning about device functions, we use the same techniques as reasoning about causal processes in the world in general, but now there are specific constraints on what kinds of effects are desired, are intended, or are to be avoided.

76

B. CHANDRASEKARAN

2.

Human Reasoning about the Physical World

The research on device understanding and reasoning about causal processes is, for me, part of a larger agenda of creating a technology based on the same sources of power that the human agent taps into when reasoning about the world. I would like to make a brief detour describing a broader framework for thinking about human reasoning about the physical world, and along the way point to the role played by causal process packages in this framework. Those interested only in the technical aspects of functional representation can skip this section and go right to Section 3.

2.1

Human Qualitative Reasoning

Let us compare a trained physicist and an unschooled man-on-the-street. The physicist has a specialized vocabulary and a number of mathematical modeling and analytical techniques. The physicist might deploy his or her scientific knowledge and perspective selectively, either to reason about specialized domains or when precise answers to certain questions are needed. The special vocabulary and techniques of the physicist notwithstanding, there is a substantial overlap in the ways the physicist and the common man reason in everyday situations. They share an ontology and general-purpose reasoning strategies that arise from the properties of the shared cognitive architecture. Knowledge needed for reasoning about the world comes in many types: 1. A commonsense ontology’ that predates and is, in fact, used by modern science: consisting in space, time, flow, physical objects, cause, state, perceptual primitives such as shapes, and so on. The terms in this ontology are experientially and logically so fundamental that scientific theories are built on the infrastructure of this ontology. Early work in qualitative physics (QP) had as a main goal elaboration of such an ontology (Hayes, 1979, and Forbus, 1984 are examples). Even today, a good deal of QP research grapples with the development of ontologies for different parts of commonsense physical knowledge. 2. The scientific ontology is built on the commonsense ontology (and often gives specific technical meanings to some of the terms in it, such as “force”). Additional concepts and terms are constructed. Some of these are quite outside commonsense experience (examples are “voltage,” “current,” and “charm of quarks”).

’

Ontology is a term used in A1 to refer to the terms in a representation language. The language is said to be committed to the existence of those types of entities. Ontology in philosophy is the study of what kinds of things exist.


77

3 . Compiled causal knowledge is knowledge of causal expectations that people compile partly from direct experience and partly by caching some results from earlier problem solving. Which causal expectations get stored and used is largely determined by the relevance of the causes and effects to the goals of the problem solver. There is a more organized form of causal knowledge that we build up as well: models of causalprocesses. By process model I mean a description in terms of temporally evolving state transitions, where the state descriptions are couched in the terms of the commonsense and scientific ontologies. For example, we have commonsense causal processes such as “boiling,” or specialized ones such as “voltage amplification,” “the business cycle,” and so on. These are goal-dependent process descriptions, one in which the qualitative states that participate in the description have been chosen based on abstractions relevant to the agent’s goals. In particular, such descriptions are couched in terms of possible intervention options on the world to affect the causal process, or observation options to detect the process. The work on functional representations that I describe in this paper develops terms to represent these causal process descriptions. When the process model is based on prescientific or unscientific views, we are dealing with naive process models (such as models of the Sun rotating around the Earth, or of exorcism of evil spirits). Many prescientific process models are not only quite adequate, but are actually simpler and more computationally efficient than the scientific ones for everyday purposes. Some sciences, such as geology and biology, often present their causal theories in the form of such process descriptions (e.g., how mountains are formed, how the infection-fighting mechanism works). These process descriptions are great organizing aids as we will discuss in the paper: they focus the direction of prediction, help in the identification of structures to realize desired functions in design, and suggest actions to enable or abort the process. 4. Mathematical equations embodying scientific laws and expressing relations between state variables. These equations themselves are acausal, and any causal direction is given by additional knowledge concerning which variables are exogenous.

2.2

Modeling and Prediction

The framework should provide support for the three components of reasoning about the physical world: modeling, prediction, and control of reasoning. In what follows, we discuss modeling and prediction. Control of reasoning is rather tangential to the main issues of concern here. The interested reader can refer to the section on control of reasoning in Chandrasekaran (1992).

78

B. CHANDRASEKARAN

2.2.1 Modeling All modeling is done in the context of the goals to be accomplished, i.e., states to be achieved or avoided in the world. Causal process knowledge plays an essential role in identifying aspects of the physical situation and the perspectives that need to be represented. The process models can be used to identify states that should be represented and reasoned about. The heart of the modeling problem is to come up with tractable representations in a goal-dependent way. The aggregation levels (when dealing with populations) (Weld, 1986), the abstractions, the approximations, and the concepts in the representation are all jointly determined by the physical situation, the goals, and the rich storehouse of causal process knowledge that expert reasoners possess.

2 . 2 . 2 Prediction The power of experts in prediction comes not from wholesale formalization of the problem in terms of physics and subsequent qualitative or other type of simulation (which is how much of current Q P work tends to present the problem), but by the use of a substantial body of compiled causal knowledge in the form of causal process descriptions that are used to hypothesize states of potential interest. Further, the state variables participating in causal relations may not all be continuous, and hence, even in principle, not all problems of prediction can be formulated in terms of the analysis of dynamic systems, as suggested by Sacks and Doyle (1992) in the critique of QP work. For example, a substantial part of our causal knowledge is about nominal variables (“vacations relax people,” “lack of support causes objects to fall”). Simon (1991) describes a causal ordering scheme that works with such variables, but, as a rule, the most well-known qualitative reasoning models and the dynamic system analysis techniques work only with state variables that happen to be continuous. Humans in their everyday life rarely predict behavior in the physical world by generating a long series of causal chains. Qualitative reasoning about the world proliferates ambiguities too rapidly. If you ask someone what will happen if I throw a ball at a wall, that person is likely to start off with the ball bouncing off the wall, move on to it dropping on the ground, and end with, “it will probably bounce a few more times on the floor and pretty soon will roll off.” Very little of this sequence of predictions is the result of application of scientific laws of motion. Rather, a short series of causal sequences are constructed from compiled causal knowledge, instantiated to the specific physical situation. Two important sources of power that are available for human experts in generating successor states and handling ambiguities are discussed next.


79

Compilation of Potentially Interesting Consequences. If we ask someone, “what will happen if I throw a rock at the window?” that person is likely to say, “the window might break.” This answer is generally not a result of any kind of “simulation” of the mechanism of the glass under impact. A number of such causal fragments, compiled from experience or from earlier problem-solving episodes, are stored as part of our causal knowledge about domains of interest. An important aspect of such compilation is that the causal knowledge is, as a rule, no longer in the form of assertions of the form “A will cause B” but rather of the form “A might cause B.” Only causal paths that lead to interesting consequences (i.e., those that are likely to have an impact on various goals of agents) are stored, but this, in turn, introduces uncertainty in the causal relation. This ambiguity is OK, since the goal of qualitative prediction is typically not accuracy or certainty, but identification of an interesting possibility that may be investigated more thoroughly if needed. Handling Ambiguity. Ambiguities in causal simulation are often handled not on the basis of what effect will happen, but on what might happen that may help or hurt the goals of the problem solver. Thus, when there is more than one successor state in simulation, the state that is related to the goals of interest is chosen for further expansion. In the example of the window, suppose a person was standing on one side of the window, while you, standing on the other side, saw someone about to throw a rock at the window. You would most likely attempt either to stop the rock throwing or alert the person on the other side. You would not be paralyzed with the ambiguities in prediction: the rock may not really hit the window, the window may not shatter, the rock may miss the person, the rock or glass fragments may not draw blood, and so on. Prediction of behavior in the physical world always takes place in the context of such background goals. The existence of these goals makes up for the fact that we rarely have enough information to be more than qualitative in our reasoning.2 Lest one should think that this is only a phenomenon of interest in the commonsense world, it should be stressed that engineering reasoning is full of such goaldriven ambiguity handling. For example, in design analysis, one might use

* There is another technique for reducing the ambiguity endemic in qualitative prediction which is worth mentioning for completeness, though it is not really relevant to the main topic of this paper. When in doubt about consequences, small and, possibly, retractable changes can be made to the physical world, and the consequences directly noted. This information reduces ambiguity about the future behavior. In robotic motion tasks, such interaction-driven ambiguity resolution can be helpful. There is often no reason to make a complete and ambiguity-ladenprediction of a physical situation. Using the real world as a computational aid in this way (Chapman, 1990) helps to avoid long chains of reasoning based on complex symbolic reasoning models.

80

8 . CHANDRASEKARAN

this form of ambiguity handling to identify the possibility that a component will make its way into a dangerous state. Of course, once this possibility is identified, quantitative or other normative methods can be used in a selective way to verify the hypothesis. Scientific first principles are embedded in process descriptions (in the form of explanations of causal transitions) in such a way that these principles can be formally used as needed for detailed calculation. In engineering and scientific prediction problems, these techniques of ambiguity reduction are not always sufficient. Whenever reasoning about consequences reaches a point where relatively precise answers are needed for choices to be made, the situation can be selectively modeled and analytical methods of varying degrees of complexity and precision can be employed. The models that are formed reflect the problem-solving goal that is current, and typically represent only a small slice of the physical system. Mathematical techniques of various kinds, including dynamic system analysis techniques recommended in Sacks and Doyle (1992), will clearly form a part of this arsenal of analytical techniques.

3. Historical Background 3.1

Need for ”Models” in Diagnostic Reasoning

A brief historical background to the development of this body of ideas on the representation of functions and causal processes might help motivate the ideas. In 1983, one of my main interests in problem solving was diagnostic reasoning. At that time, a discussion was getting started on so-called “deep” versus “shallow” representation of knowledge for diagnosis. Rules were said to be shallow because they were-it was claimed-just associations between symptoms and malfunctions (as in Mycin), without any indication of how the latter caused the former. It was proposed that, in contrast, there were so-called deep representations that provided a basis for explaining the associations. When diagnostic knowledge, i.e., knowledge that related the malfunction categories and symptoms, was incomplete or missing, it was proposed that these deep representations, also called r n ode l ~,might ~ be invoked and the missing knowledge generated. (Chandrasekaran and Mittal, 1983, give an early presentation of these ideas, and Bylander, 1990, and Chandrasekaran, This term is a bit of a misnomer. Any collection of knowledge about some domain, whether it be associational rules or something else, is in fact a model of the domain. When people use the word “model” in this area, they intend a particular type of model that I have elsewhere (Chandrasekaran, 1991) characterized as a “structure-behavior-function” model.


81

1991, present up-to-date analysis of the issues involved.) Model-based reasoning became a big subarea of research in A1 over the last decade, precisely in response to the perceived need for a representation that was not just restricted to a narrow range of tasks. Models were intended to be a description of how the device worked. I review two streams of work in representing models of devices (or physiological systems, since many of the ideas arose in the context of medical diagnosis).

3.2 Causal Nets The work by Weiss et al. (1978) is representative of this stream. (The belief nets of Pearl, 1986, are not meant explicitly as device models, but could be used to represent the causal relations underlying the device.) In causal nets, a device’s workings are represented as a network of causal relations between the variables describing the system. An effect could be the result of more than one cause, and a cause could result in more than one effect. One could introduce numerical weights in the links between nodes to represent some notion of the likelihood of the effect given the cause. There are a number of technical issues in such a representation that are not important for my current purpose, but I want to draw attention to two related aspects of such networks. The theories do not propose explicit criteria for the levels of abstraction that should be used for the variables, or for organizing the causal network. In this approach, these two decisions are left as part of the modeling problem, and are thus deemed to be domain-specific issues. Let me illustrate the point by a simple example. A network in the domain of medicine may have two causal links entering a node labeled “headache”:

high blood-pressure at blood vessels at the temple 4 headache (Link 1) infectious diseases of certain kinds

+

headache (Link 2).

Note that both are true causal relations, but do not represent different causal mechanisms. In the former, a causal explanation at the level of a physiological mechanism is offered, while in the latter a disease-level explanation is represented. One of the ways in which diseases of a certain kind might cause headache is, in fact, by activating processes that increase the blood pressure level at the temples. The two relations are best thought of as existing at different levels of abstraction and indexed by different goals. The relation involving infectious diseases is probably most usefully indexed by the goal of “diagnosis.” The relation involving the pressure level at the temple might not be activated at all during diagnosis. On the other hand, for research on drug mechanisms, knowledge in Link 1 might

82

B. CHANDRASEKARAN

be directly relevant and, hence, should be activated. The FR theory in this paper uses causal networks, but provides task-specific criteria for abstraction levels for the variables and organization of causal knowledge.

3.3 Qualitative Device Models Another stream of ideas on representing models is the work of de Kleer (de Kleer, 1985; de Kleer and Brown, 1984) and others in that school. Devices (or physical systems) are modeled as having components connected in specific ways. The components are specified as satisfying certain input-output relations. A description of the device in terms of its components and their relations is called the structure of the device. The device can be simulated, i.e., the values of all the variables could be derived using knowledge about the components’ input-output properties and about the component interconnections. Such a description is termed the behavior of the device. Contrastingly, Forbus (1984) introduced the idea that the way to model phenomena is as a set of processes. A physical situation is described in terms of processes at work in some domain of interest and their interaction. This is the structural representation. Behavior is generated by working out the consequences of interacting processes. The process and the component perspectives are seen within the qualitative reasoning community as compatible alternatives: some physical situations are best modeled as components interacting, others as processes interacting, while yet others as perhaps having both components and processes. I think, however, that it is best to take the process view as the basic one and think of a component view as a special case. Component input-output relations become a specific type of process and the physical connections between components a specific type of process interaction. Kuipers’ (1986) representation of structure is much simpler than the previous two: It is simply a list of state variables and a description of how a change in the value of a state variable affects other state variable values. The three representations, i.e., the componential, process, and state variable relations, are related. One could take the set of all input and output variables of the components in the de Kleer representation as the state variables of Kuipers and use the input-output component descriptions to generate a description of how certain state variable values change as a function of changes in the values of the other state variables. Representationally, all the above approaches describe the world as a set of state variables and the underlying causal process as a set of relations between changes in the state variables. This is, of course, the standard ontology of physics and system engineering. In the de Kleer picture, the


a3

state variables belong to the components, the component descriptions give the causal relations between variables, and the component connections describe how the changes propagate. In the Forbus picture, the state variables belong to the processes that also describe the causal relations between changes in the variables. In the Kuipers picture, the state variables and their relations are simply described, without a particular theory of whether the variables arise from components or processes. A1 researchers in qualitative reasoning proposed an additional set of ideas about simulation, specifically qualitative simulation. In their view, human intelligence is characterized by the fact that such structural models are qualitative, i.e., causal relations are described only in terms of ranges of values rather than actual values. Instead of giving the exact description of how a change in variable x causes a change in variable y , the causal relation is given only as “If x increases, y decreases,” or some similar type of trend description. de Kleer and Kuipers propose techniques for generating behavior using such qualitative relations exclusively. These approaches are well-documented (e.g., Forbus, 1988), and there is no need to review them in detail here. We will argue that goal-directed allocation of reasoning resources is a more useful characterization of human intelligence than reasoning in terms of qualitative ranges of values. Another A1 technique for reasoning about the world is consolidation (Bylander, 1988). This work is based on the observation that often, for predicting behavior, the structure of a device is simplified in certain systematic ways. Such a simplification can help avoid component-bycomponent simulation. For example, given two resistors in series we simplify that into one resistor. Especially in electrical devices and, to some extent, in electromechanical devices, such repeated application of structural grouping operations results in greatly simplified descriptions that make simulation either much easier or even unnecessary. In circuits, for example, we can simplify the resistance by repeated application of formulae for series and parallel resistors, and just write down formulae for all the currents. Any qualitative analysis can then be applied to this equation. In these approaches the behavior of the device is composed from the behavioral description of the components, processes, or state variable relations. These techniques need to be complemented by other techniques to provide the following additional capabilities that are often needed: 1. Device-level vs. component-level abstractions. In the qualitative reasoning approaches that we have described, the terms in which the behavior of the device as a whole is described is the same as in the component-level descriptions. For example, suppose we have an electronic amplifier, and the device’s structure is described in terms of its components:

84

6.CHANDRASEKARAN

transistors, resistors, capacitors, and so forth. Let us say that each of these component behaviors is described in terms of their currents and voltages. The techniques for simulation which we have described would produce a description of device behavior in terms of currents and voltages. However, the behavior of the device as a whole in which we are interested is as an amplifier, which is a higher level of description. We need techniques that relate the device-level behavioral abstractions to the descriptions at the component level. 2. Concern exclusively with aspects relevant to the goal. The simulation techniques of qualitative reasoning produce the values of all the component-level state variables that are part of the model. However, many of the state variables may not be of interest to the goal at hand. In the amplifier example, if we are interested in the value of the “amplification ratio” for some configuration of parameters, there may be no need to generate the values of the currents and voltages in circuits that play no causal role in the production of amplification. The computational work needed to generate the values of all the state variables may be reduced if we have a goal-directed simulation strategy, and a representation that helps in identifying the dependences and in focusing the simulation. 3 . Flexibility regarding detail. Human reasoning, while it is largely qualitative in the sense of reasoning over ranges, is also capable of invoking techniques for precise calculation if quantitative information is needed. An engineer might perform some reasoning using qualitative information, formulate a well-posed numerical problem that she might solve on paper or computer, and proceed with qualitative reasoning again. That is, human reasoning flexibly integrates computations of different degrees of accuracy and precision in a goal-directed way. The FR work that we review in this paper provides the complementary function-oriented view that is needed to provide the above capabilities.

4. Functional Representation The functional representation framework is a proposal of top-down representation for goal-directed, flexible reasoning that bridges abstraction levels. It was originally proposed by Sembugamoorthy and Chandrasekaran (1986) for the causal processes that culminate in the achievement of device functions. (Some devices achieve their functions by means of causal processes, while the function of others is explained directly from their structure. We discuss this distinction later, but for now consider only devices wherein causal processes are the means of achieving the functions.)


85

In FR, the function of the overall device is described first and the behavior of each component is then described in terms of how it contributes to the function.

4.1 Informal Overview FR for a device has three parts: 0

0

0

a description of intendedfunction (independent of how the function is accomplished) a description of the structure of the device, i.e., what the parts are and how they are connected. (The degree of detail in this description is chosen by the describer.) a description of how the device achieves the function, specifically a process description.

de Kleer (1985) introduced the terms “structure” and “behavior” formally in the study of devices, and also discussed the idea of “functions” as having to do with the teleology of artifacts. de Kleer and Brown (1983) also proposed a process description of mental models of how a device worked. Our work builds on some of these notions. The part of FR that describes the function treats the device as a blackbox, i.e., it makes no assumptions about its internal structure, not to mention any processes that take place in the device. This is because the same function may be achieved in different ways, and thus a description of the function itself should not make any commitments about structure. This may be called the “NO structure in function” principle, a kind of converse of the “No function in structure” principle due to de Kleer. Of course, to describe a function we need to describe a certain minimum amount of structure: how the device is to be embedded in the environment (e.g., where it is to be placed and how it is to be connected), where on the device the operations to initiate the function are to be performed (e.g., turning the switch on for an electrical lighting circuit or an electric iron), and where the functional output is to be realized (e.g., light near the bulb, heat at the ironing plate). Other than this, we only have to describe under what conditions what kinds of predicates are to be satisfied by the device in order for it to achieve the function of interest. That is, a function is represented by describing the context of its application, the initiating conditions and the predicates the device has to satisfy for it to achieve the function. Of course FR as a whole enables us to combine this description of function with how the specific device achieves it, by adding descriptions of structure and the causal processes that make the function happen in device. It is important to emphasize this independence of the what of the function

86

B. CHANDRASEKARAN

from its how, since such a distinction is widely underestood to be an important desideratum for representing function (e.g., Brajnik et af., 1991; Chittaro et al., 1993a,b; Kaindl, 1993). The FR framework honors this distinction. Representing the structure is straightforward: we simply list the component names and their functions and indicate how the components are put together to make the device, i.e., describe the relations between the components. The components functions are described using the same ideas as in the description of the device function. We give examples of such descriptions later in the paper. The basic idea in describing how a device achieves its function is that of a causal process description (CPD). That is, we describe how the device goes through a causal state transition process in which the initial state is the state of the device just at the time the device “starts,” the final state is the state at which the device is achieving the function for which it was designed, and each state transition is explained by appealing to knowledge concerning components or domain. The idea that a behavioral description of a device represents a link between structure and function has been stated often in the A1 literature-from the early works of de Kleer to Gero et al., 1992-but our proposal on CPD takes a very specific stance about what kinds of behavioral descriptions have the explanatory power needed to explain the function and bridge the levels of abstraction between component-level and device-level descriptions. A CPD can be thought of as a directed graph whose nodes are predicates about the states of the device, and the links the causal transitions. The links have one or more annotations that explain the transition. The annotations, according to the theory, belong to certain specific types. Consider a simple electrical circuit with a switch, a voltage source, and a resistor. Let us say that the function we are interested in is the production of heat. A causal account of how this function comes about might be given as follows: A + B + C + D + E, where A is ‘switch is on,’ B is ‘voltage applied between terminals,’ C is ‘current to flow in the circuit,’ D is ‘current flows through the resistor,’ and E is ‘heat generated.’ Normally “ ” can be interpreted as “causes.” CPD is not a neutral description, but one that is oriented towards explaining a selected function. If the function of interest is the production of light and the resistor is a filament inside a light bulb, the link D + E, might read as follows: D is ‘current flows through the resistor,’ and E is ‘light generated.’


87

Of course the current through the resistor also produces heat. If we are interested in explaining the production both of light and heat, the graph might look as follows: A-+B-+C-+D-+E L E’ where E corresponds to production of light and E’ to production of heat. Now let us examine how the transitions might be explained. A B: “Closing the switch causes voltage to be applied between the terminals of the circuit .” In explaining this transition we use knowledge about the “closing” function of the switch (the component “switch” had the two functions, “open” and “closed”) and the “voltage” function of “battery. ” The transition B -+ C, ‘the application of voltage causes a current to flow through the circuit,’ invokes the connectivity-providing functions of the various connectors, and also uses a domain law, viz., Ohm’s law. Checking the connectivity functions of the connectors ensures that the structure is in fact a circuit. Ohm’s law can be used to provide qualitative or quantitative information about the quantities involved. The transition C D asserts that ‘current flowing through the circuit means that there is current through the resistor.’ This particular transition is not normally viewed as a causal transition. The explainer is simply inferring a predicate of interest, in this case, that there is current through the resistor. The explanation appeals to the meaning of a circuit. If we want only causal links, we can collapse the two links into one, B D, asserting, ‘application of voltage causes current through the resistor. ’ The explanation would still appeal to the connectivity functions of the connectors and to Ohm’s law. The transition D -+ E, asserting that ‘current through the resistor causes heat to be produced,’ can be explained in different ways. One possibility is to simply point to the scientific laws that relate electricity to heat production in a resistor, similar to the way Ohm’s law was used earlier. Such a law can be given in numerical or qualitative form, as needed. In this case, the link would be annoted as B y - D o rn a in L a w (current-to-heat equation). In this explanation, the domain law is taken as a primitive explanation, satisfactory for the current problem-solving goals. The same transition can be explained by appealing to another process: how electricity gets converted to heat. The link would have the annotation B y - C P D (electricity-to-heat). Someone who already understands this process can use it if needed and build the more detailed (and longer) causal story. This causal process can be explained separately for anyone who doesn’t already understand it. +

+

+

-

88

B. CHANDRASEKARAN

To summarize the various explanatory annotations: i. B y - C P D : This points to another CPD that provides further details of the transition. The details of the CPD may not matter for the current purpose. If they matter, the CPD may be part of the prior knowledge of the agent, or can be explained separately. Potentially long process explanations can thus be hierarchically composed out of other process explanations, making explanation at each level shorter. (The Abel system of Patil et al., 1981, uses a similar approach of describing causal chains with hierarchically increasing details.) CPDs (such as “boiling” in commonsense physics, or “electricity-to-light production” in the circuit example) can be reused, possibly after instantiating some parameters (e.g. , the pressure at which the boiling is done, the liquid that is being boiled, and so on). Human expertise in a domain contains knowledge of a large number of such causal processes that can be parametrized and reused. ii. B y - F u n c t io n -0 f -(component): This annotation appeals to the function of a component as the causal explanation of the transition. A major goal of causal explanation in devices is to explain the behavior of the device in terms of the properties of the components and their interconnections. Again, a large part of the expertise of human experts in a domain is in the form of knowledge concerning generic components and their functions (though, in many cases, how the component functions may not be known). The ability to explain the device functions partly in terms of component functions, and to explain component functions, in turn, in terms of the functions of its subcomponents helps in the formation of functional/component hierarchies in explanation and design. Also, components with different internal structure but the same function can be substituted. iii. B y Do rn a i n La w (law). Another form of explanation is by appeal to domain laws. In the domain of engineering, scientific laws are the ultimate basis of explaining why the device behaves as it does. For example, the state transition, 5 Volts at the input -,2 amps through the load might be explained as B y D om a i n La w (Ohm’sLaw: Voltage = Current *Resistance).

-

-

-

-

For a particular device, any realistic FR description will taper off at some level of components and CPDs. The terms that are used at the lowest level of description are themselves undefined. In explanations directed to humans, these terms are assumed to be part of commonsense knowledge. For machine processing, the terms at the lowest levels of description are just strings of symbols. Thus every FR is inherently incomplete.


89

Noncausal links. Sometimes additional, noncausal links may need to be added to arrive at the predicate of interest. For example, for an amplifier, we may have constructed the CPD, Voltage I at the input

+

..

-+

Voltage 10 at the output,

but the function that needs to be explained might be Amplification of 10. A noncausal, definitional/abstraction link can be used to arrive at the node Amplification of 10 from Voltage 10 at the output. Such links can be used to indicate an inference that follows from predicates in the earlier nodes. We have given examples of four ways in which a link can be explained: appealing to the function of a component, a causal process, a domain law, or some noncausal inference. In the body of FR research, the set of annotations has been somewhat open-ended and evolving. In the original paper (Sembugamoorthy and Chandrasekaran, 1986), we had made finer distinction for the B y - know 1 e d g e link, and also proposed a B y s t r u c t u r a I- a s sump t i o n s link. The last link was intended to handle situations where the structure as given was not sufficient to justify the causal transition, but, with some additional assumptions about the structure, it was assumed that the transition would work. In the newer versions of the FR language, we include such requirements under various kinds of qualifiers. Vescovi et al. (1993) have identified another link called B y - p a r t i c i p a t i o n - o f (component), to account for the situation in which some aspect of the component that has not been explicitly identified as its function plays a role in some state transition. Qualifiers. In addition to the explanatory annotations, the links may have qualifiers that state conditions under which the transition will take place. In FR the qualifier P r o v id e d ( p ) is used to indicate that condition p should hold during the causal transition in order for the transition to be initiated and completed, and I f ( p 1 to indicate that the condition p should hold at the moment at which the causal transition is to start. The conditions can refer to the states of any of the components or substances. Many of these qualifiers are eventually translated into condition on the structural parameters.

4.2

Components of FR

I will use a running example of a device called a nitric acid cooler (NAC) (Goel, 1989) to illustrate various aspects of FR. Figure 2 is a schematic of the device.

90

6.CHANDRASEKARAN

t

Hot H20

chamber (HEC)

Cold H20

4 P5

’

4.2.1 Structure of a Device The structure of a device is a specification of the set of components that constitute the device and the relations between the components. The components are represented by their names and by the names of their functions, which are all domain-specific strings. Components and functions can have variables as their parameters, and thus may describe classes. In the NAC example, component class pipe(1,d) describes pipes with length I and diameter d , while pipe 2 is a particular instance of pipe(1,d) with specific values for I and d . Similarly, the device NAC as a class has a function coolinput-liquid(rate, temperature-drop), where rate and temperature-drop are capacity parameters of the function cool-input-liquid. A particular NAC might be identified by specific values for these parameters. Devices can have substances whose properties are transformed as part of their functions. Substances can be destroyed and new substances created. Substances can be physical (e.g., nitric-acid) or abstract (e.g., heat). In the NAC example, the substance nitric-acid had properties temperature, flow rate, and amount of heat (which itself is a substance). Components have ports at which they come together with other components in certain relations. For example, the component type “pipe”


91

might be written as pipe(1, d; t l , t2), where I and d are the length and diameter, and tl and t2 are the input and output ports. Components are configured in specific structural relations to each other in order to form a device. In an electrical circuit, electrical components are electricallyconnected at the defined terminals. In the NAC example, the relations include conduit-connection, containment, etc. (The relational vocabulary can also include unintended relations, e.g., electrical leakage between electrical components. The components can be in unintended relations to each other as a result of malfunctions.) The vocabulary of relations is domain specific. The semantics of the relations are established by the domain laws that govern the behavior of the components in the given relations. The FR language uses the following keywords for describing structure:

S t r u c t u r e(Dev i c e((device-name), (functional parameters), (ports))), C om P O n e n t ((component-name),

(component parameters), (ports)), F u n c t io n((component)), Re 1a t i on((re1ation ((component, port), ..., (component, port) I >). The structure of NAC is given in Fig. 3. S t r u c t u re((Device(NAC; cooling-capacity and temperntiire parmeters;

ports: PI. P4, PS. P7)) Component 3 : pipel(l1, d l ;p l . p2), pipe2(12,d2;p2,p3), pipe3(Il,dl;p3,0iitput) Heat-exchange-chamber(cditnension.~>, Input-port, oilpiir-port) Water-pump(lnput,Outpiit) F u n c t ion@ipetJ: Conduit (input. output) F u n c t ion(Heat-exchange-chamber):erchan,.c-heat(<paretcrs>) F u n c t ion(Water-piinrp):........ Re 1a t i o n s : Component (pipe2) contained-in Component (Ileat-exchangechamber) Component@ipel) conduit-connected (pipe2) ( P o r t s :&formation about ports>) Component(lVarer-primp)conduit-connected Component(Heatuchange-chamber) ( P o r t s :cinfonationabout whichportsof Exchange Chamber is the same components are connected, e.g., Input-port of Heatas the Output of Water-pwnp>)

FIG. 3. Structural description of NAC. (From Chandrasekaran, B., Goel, A., and Iwasaki, Y ., “Functional representation as design rationale,” IEEE Computer, January 1933, pp. 48-56. 0 1993, lnstitute of Electrical and Electronic Engineers. Reprinted with permission.)

92

B. CHANDRASEKARAN

In the figure, the terms in italics are domain-specific names for functions, components, relations, etc. The interpreter for FR treats them as strings. The terms in c o m p u t e r f o n t are terms in FR. Additional domainspecific interpreters may be able to use the italicized terms as meaningful keywords. For example, a mechanical simulator can use terms such as contained-in and conduit-connected to perform simulations. For the purpose of this exposition, they are to be understood in their informal, English-language meanings. The syntax of the R e Ia t i on s keyword is that an n-ary relation has n components, moreover, a p o r t s term indicates which ports of the components are connected. Note that the components are described purely in terms of their functions. In principle this makes it possible to replace components by structurally different but functionally identical components. Further, the components themselves can be represented as devices in their own terms.

4.2.2 States and Partial States A device state is represented as a set of state variables I V,) consisting of the values of all the variables of interest in the description of the device. State variables can be either continuous or discrete. In particular, some of the variables may take truth values (T,F] as their values, i.e., they are defined by predicates. An example of a continuous variable is water temperature in a device that uses water for cooling a subsance. An example of a variable defined by a predicate is ?open(valve). This variable will take the value T or F depending upon whether the valve is or is not open. In describing functions and causal processes, we generally speak in terms of partial states of the device. A partial state is given by the values (or some constrairits on the values) of a subset of state variables. For example, the partial state (call it statel) of NAC (describing some relevant state variables at the input p l of the device) can be given as (substance: nitric acid; location (substance): p l , temperature (substance): T , ]. State2, describing the properties of nitric acid at location p2, will only differ in the location parameter, while the partial state descriptions, state3, at a location p3 will be (substance: nitric acid; location (substance): p3, temperature (substance): T 2 ) ,where T2 < T , .

State Description Languages. The language in which states are represented is itself not part of the representational repertoire of FR and is largely domain specific. In economics, the state variables would be entities such as GNP, inflation-rate, etc; in nuclear plants, an entity might be radiation-level. Goel (1989) has defined a state description language which is useful in describing devices that deal with material substances that change


93

locations, e.g., those in which substance flow is a useful notion. The state representation we just used for NAC employs this language. In NAC and many other domains a state can be represented by a real number, a binary predicate, or a vector of real numbers and predicates.

Shape-Based States. In principle the states can be images or shapes, in addition to symbolic entities as in the examples so far. For example, when we want to describe the causal process corresponding to the flow of hot molten metal into molds, the relevant intermediate states may be shape descriptions. (See Chandrasekaran and Narayanan (1990) and Narayanan and Chandrasekaran (1991) for descriptions of work relating to such visual simulations.) State Abstractions. Consider a device which, at one level of description of states, has one of its state variables, say s, going through the following partial states repetitively: ( - 1 ,0, 11. That is, the state variable is oscillating around 0. Suppose we define another state variable ?oscillating by a process of abstraction from the values of s over time. This would be a binary variable taking on the value Yes if the values of s are cycling through ( - 1,0, 1 J and No otherwise. Allemang and Keuneke (1988) discuss a number of issues in creating such abstractions (see also Weld, 1986). Which state variable behaviors are abstracted and the way this is done are determined by considerations outside the physical system itself. In fact, all descriptions of physical systems at any level presuppose and arise from a set of problem-solving goals. Whatever state variables we use to describe a system at the lowest level can themselves be defined from such a process of abstraction from physical behavior at even lower levels; there really is no way of representing any real-world system in a truly neutral way.

4.2.3 Causal Process Description Formally, the causal process description (see Iwasaki and Chandrasekaran, 1992) is represented as a directed graph with two distinguished nodes, Ninit,and Nfin.Each node in the graph represents a partial state of the device. Ninilcorresponds to the partial state of the device when the conditions for the function are initiated (such as turning a switch on). Nfin corresponds to the state where the function is achieved. Each link represents a causal connection between nodes. One or more qualifiers are attached to the links to indicate the conditions under which the transition will take place, and one or more annotations can be attached to indicate the type of causal explanation to be given for the transition. The graph may be cyclic, but there must be a directed path from Ninitto Nfin.

94

B. CHANDRASEKARAN

state1

CPD-1:

state3

0

HNO3 at temp T1 at location p l

CPD-2 :

Stat&?

0 Water at temp T3 at input to water-pump

HN03 at temp T1 at location p2

Water at temp T3 at input to Heat-exc hanger

HN03 at temp T2 (T2 c T1) at location p3

Water at temp T4, T4 > T3 at output of Heat-exchanger

Note :srurel, stare2 and state3 are described more formally in the text. The transition from stare2 to stare3 is described in Fipre 3 with annotationsand qualifiers. FIG. 4. CDPs for device NAC (without link annotations). statel, stute2, and state3 are described more formally in the text. The transition from state2 to state3 is described in Fig. 3 with annotations and qualifiers. (From Chandrasekaran, B., Goel, A., and Iwasaki, Y. (1993) "Functional representation as design rationale," IEEE Computer, January 1993, pp. 48-56. 0 1993, Institute of Electrical and Electronic Engineers. Reprinted with permission.)

In the NAC example, let nodes statel, state2, and state3 correspond to the states of nitric acid at the input to pipel, at location p2, and location p3, respectively. Figure 4 depicts the CPD graph (without any annotations or qualifiers) describing what happens to nitric acid and water as they flow through the chamber. In the figure, the nodes are described in informal English, but they can be described more formally similar to my earlier description of statel.

state2

b

state3

Domain-law: zeroth-law-of-thermo-dynamics Qualifiers:(appropriate enclosures ofpipes in chamber)

FIG. 5 . Annotations and qualifiers for a causal transition in NAC.


95

Annotation of Links in CPD. This example will illustrate the use of three types of annotation for explaining causal transitions: appealing to another causal process, to a function of a component, or to domain laws (so-called first principles of the domain). It will also illustrate the use of qualifiers, or conditions on states or device parameters for the transition to take place. Figure 5 shows one fully annotated causal transition in the Nitric-AcidCooler. It uses two functional and one domain law annotations, and employs conditions on the structure and substances as qualifiers. The qualifiers include conditions on the properties of the substance (it should be a liquid of low acidity) and structural conditions (the chamber fully encloses pipe2). Note that a transition may have more than one annotation or qualifier.

4.2.4 On Functions Types of Functions. Keuneke (1989, 1991) has identified four types of functions: T o M a k e , T o M a i n t a i n , T o P r e v e n t , and T o C o n t r o l . (Franke, 1991, on device properties such as “guarantee,” “prevent,” etc., is motivated by quite similar ideas.) Formal definitions of these function types have been developed (Iwasaki and Chandrasekaran, 1992), but for our current purposes the following informal ones should suffice. All the function types above except T o C o n t r o 1 take as argument a predicate, say PF,defined over the state variables of the device. A function is of the T o M a k e type if the goal is to make the device reach a state in which PF is true such that after that state is reached, no specific effort is needed to maintain the predicate’s value True, or it doesn’t matter what state the device enters after the desired state is reached. A function is of type ToMa i n t a in if the intention is to bring the device into the desired state and the device has to causally ensure that the predicate remains True in the presence of any external or internal disturbance that might tend to change the device state. A function is of type T o P r e v e n t if the goal is to keep PF from ever being true, and some active causal process in the device is required to ensure it. (While logically T o P r e v e n t P can be written as T o M a i n t a i n (Not P), there are important differences in practice. Pragmatically, a designer charged with making sure that a device will not explode uses knowledge indexed and organized for this purpose. This prevention of explosion-say by using a thick pipe-is not the same as maintaining some dynamic state variable in a range.) The function type T o C o n t r o 1 takes as argument a specified relation uo = f ( q ,..., uJ between the state variables o,, v l , ..., vn, and the intent is to maintain this relationship. That is, we wish to control the values of specific variables as a function of the values of some other variables.

96

B. CHANDRASEKARAN

A function F thus has the following descriptive elements: F u n c t i o n ((function-name)) D e v i c e ((device-name)) T y p e ((function-name or device-name)) S t a r t - C o n d i t i o n s ((conditions); The conditions under which the

function will be initiated) F u n c t i o n - P r e d i c a t e or C o n t r o l - R e l a t i o n ((predicatelcontrol

relation); the predicate that has to be reached, maintained, or prevented, or the control relation that has to be maintained) B y - C P D ((set of causal-process-descriptions); explains how the function is achieved) Consider the example of a nitric acid cooler in Fig. 2. Hot nitric acid goes into a heat exchanger and exchanges heat with the water being pumped in. The water gets hotter while the acid gets cooler. The functional definition of NAC can be given as follows. F u n c t i o n (Nitric-acid-cooling) D e v i c e (NAC) T y p e (To-Make) S t a r t C o n d i t i o n s (Input temperature of Nitric Acid = T I ) F u n c t i o n P r e d i c a t e (Outlet temperature of Nitric Acid = T2,

-

-

T2 <TI) B y-C P D (CPD-1 in Figure 4) The complete FR is given by specifying the device name, its structure, the state variables of interest, the functions of interest, and the functional template, including the CPDs using the representational primitives we have just described. Many implementations exist for the FR language, with somewhat different syntax in each implementation. We have used a composite syntax, chosen mainly for expository effectiveness, omitting many of the details by giving English-language descriptions of the intended information within parentheses or curly backets. For example, we say q u a 1 i f i e r s : (appropriate enclosures of pipes in chamber) in Fig. 5 . A detailed syntax for representing the relevant relations about pipes is in fact available (Goel, 1989). Function types such as T o - M a i n t a i n and T o - P r e v e n t apply not only to engineered artifacts, but to reasoning about natural phenomena as well: e.g., “The centrifugal force prevents the satellite from escaping into space,” and “The raidevaporation cycle maintains the salinity of the oceans. ’’


97

Passive Functions. So far, all our discussion of function has been in the context of temporally evolving causal processes. Keuneke (1989) made a distinction between “active” and “passive” functions. A chair satisfies the function of providing a seat for a person, but normally we don’t explain this functionality by giving a description of all the state changes which the chair goes through as a person sits on it. This is not to deny that such a description can be given, but simply to point out that the function is normally explained as a match between the structural properties of the chair and how that meets the need to provide a seat. Similarly, a flower arrangement provides the function of decorating a room. Again, a description of how it achieves this function can be given by describing some process in which a viewer goes into a state of enjoyment, but the flower arrangement as such is not explained as something that undergoes a process involving state transitions in order for it to achieve the function. In these cases, the object achieves a function simply by virtue of its structural properties. Such devices can still have parts and parts may have functions as well, and the device function as a whole still arises from the parts achieving their functions. For example, in describing how a chair achieves its function, one might say at the top level that a chair has the structural property that a component with the function “support human bottom comfortably” is attached in a certain physical relation to a component with the function “elevate the device from the floor at a height equal to the length of average human legs,” and optionally, in a certain physical relationship to two components with functions “support arms.” Each of the component functions can be defined in terms of certain structural properties. With the exception of a recent thesis by Toth (1993)’ wherein she considers the functions of mechanical structures (such as frames and trusses), there has not been much work in the FR framework for representing such passive functions. In visual recognition, there have been studies (e.g., Stark and Bowyer, 1991; Brand et al., 1992; Rivelin et al., 1993) that attempted to use such functional notions to recognize the identity of objects in a visual scene. Traditionally, programs for recognizing chairs in scenes would have some sort of a structural template or description of a chair, and the recognition process would consist of trying to match this template against the visual scene. In this approach the recognition system can only recognize types of chairs for which it has a structural description. On the other hand, a person who has never seen a bean-bag chair might recognize it as a chair. Function-based recognition may actively use the hierarchical functional model of what makes a chair a chair, namely, it has parts that serve the role of a seat, and so on, to check if the object can serve the function.

9a

8. CHANDRASEKARAN

Content-Theory of functions. In specific domains, we can develop theories of elementary functions that can be combined to make more complex functions. When the domain involved is of great generality, such as mechanical force transmission, such a content theory can be widely useful. Hodges (1992) has developed a set of useful basic functions in the domain of physical objects that interact on the basis of shape. Examples of such elementary functions are linkage, lever, gear, pulley, screw, spring, and container.These functions themselves are defined in terms of a vocabulary of state change operations, such as move, constrain, transform, and store. functions lntrinsic to Objects? How closely should functions be attached to object descriptions? There has been much debate about the distinction between “function,” “behavior,yyand “use.” There is a view that the functions of an object are strictly outside the supposedly more intrinsic behavioral description of an object. That is, functions are seen as constituting a separate ontological category from behaviors, and behaviors are viewed as part of a neutral description of objects. Yet another proposal attempts to make distinction between the “use” made of an object and its intrinsic function. Any description of an object makes choices from available descriptive terms. The behavior of a physical object might be described by one observer in terms of currents and voltages, while another observer might describe it in terms of amplification. The former description is no more intinsic than the latter, since the description in terms of currents and voltages is already based on a point of view that chooses both to omit certain things about the object (e.g., color, weight, etc., in the case of a circuit) as well as to commit to a certain level of abstraction (the same object could have been described in terms of more fundamental physical phenomena, say its atomic behavior). There is thus no completely neutral description of an object’s behavior. We have proposed that “function” be interpreted as a distinguished behavior of interest for some observer. There is no commitment to the use of the object for a purpose. However, someone who uses an object in a certain way is an observer for whom the behavior of interest is the one that corresponds to her use of it. Thus, in the sense in which we propose to use the terms, the representational terminology for “use” is the same as that for “function,” which is the same as that for “behavior.” Function is simply a behavior of i n t e r e ~ t and , ~ the use of a device in a certain way is possible because it is capable of behaving in that way. Again, this is only for devices whose functions arise because of the state changes that the device passes through. As we mentionedearlier, there are devices whose behavior arises from the very structure of the device, and, in these cases, functions are not to be viewed as “distinguished behaviors of interest.” A more general framework is one in which functions are “distinguished properties of interest,” where properties may be behavioral states or structural properties.


99

What is the function of a thermostat? To maintain the temperature in a room within a given range? To regulate the flow of electricity to the heater as a certain function of temperature? To regulate the flow of electricity as a function of a specified spatial distance inside a bimetallic strip? None of these descriptions is intrinsic to the piece of matter that we call thermostat. Depending upon how we model the embedding context, all of the above descriptions can be supported. Consider the following CPD: “ ( T c T , ) -+strip curls in end makes physical contact switch closed furnace is on temperature increases.” If we model the thermostat as embedded in the physical circuit, we can halt the “intrinsic” description of the thermostat at “end makes physical contact.” If the embedding context is modeled as an elecrical circuit, the thermostat description extends up to “switch closed.’’ And so on. There is nothing intrinsic about it, though, clearly, there may be some conventions regarding well-known devices that tell us where the description normally halts. The notion of an intrinsic level of description for physical objects derives from a belief in reductionism that all of us have been raised on, namely, that physics gives us the fundamental level of reality, moreover, all other (higher) levels can be reduced to it. That might be an appropriate doctrine about the nature of reality, but reasoning about the world requires levels of description corresponding to levels of interest. Our knowledge of causality ties descriptions at various levels: events both within and between levels are causally linked. A theory of reasoning about the physical world cannot be based on the notion of a reductionistic “intrinsic” physical description. +

-+

-+

-+

4.3 Remarks on FR 1. Nodes in CPD are partial states. The nodes in the graph are partial

states, i.e., predicates about some aspect of the device, not a complete description of all the states of the device. 2. The level of abstraction of the predicates in the CPD is that needed f o r the causal story. Some of the predicates may directly correspond to component-level state variables, while others may have only a devicelevel existence. In the CPD in the electrical circuit example, heat and light are device-level state variables, while voltages and current and the off or on status of the switch are component-level variables. 3. FR is underdetermined by the underlying structural description. The form assumed by an FR is not unique. For the same physical system, not only are there different FRs for different functions, but even for a given function, different FRs can be written. The differences could reflect different assumptions about background knowledge, different decomposition strategies, and, to some extent, different intended uses

100

B. CHANDRASEKARAN

for the FR. Suppose the FR model is going to be used for diagnostic purposes. Appealing to the domain laws that relate current to heat might be sufficient if all we want to do is to check whether a resistor is faulty and, if so, to replace it. However, if it is a matter of inventing different types of materials from which the resistor is to be produced, a more detailed CPD that refers to the properties of the resistor material may be more useful as an annotation for the same link. It should be emphasized, however, that being goal dependent is not the same as being arbitrary or simply subjective. The FR is still intended to represent reality, but what aspects are chosen and what levels of abstraction they are represented in depend on the problem-solving goal. 4. The CPD integrates the “object”and the “process” views. The CPDs in the FR view integrate the process (Forbus, 1984) and object (de Kleer, 1984) views in modeling a physical system. Components have functions that are realized through CPDs that, in turn, appeal to functions of other components. 5 . FR and CPDs capture causal understanding in general. So far, we have talked about functions of devices, i.e., roles intended by designers or users for some physical objects. But, as stated earlier, the FR framework is really a framework for causal understanding, not just for representing functions of engineered artifacts. Consider the following questions: i. How does this device work (i.e., deliver the intended function)? ii. How does cancer “work”? (i.e., what is the mechanism of cancer?) iii. How do clouds make rain? How are mountains formed? iv. How does the immune system work? v. How does this program work? How does this algorithm work? vi. How is sticking pins in the doll going to bring my lover back? (i.e., How does voodoo work?) Question i of course captures the traditional notion of a function of an engineered device. In question ii, cancer is hardly an intended function. The questions in iii are about natural phenomena. The scientific temper of our times would be inimical to talking as if clouds have an intended function to make rain, or that geological processes were intended to form mountains. Regarding question iv, the theory of evolution allows us to talk about the function of immune systems (to give the organism immunity against infections) and the function of the heart (to pump blood). In the questions in v, we do not have a physical object at all, but an abstract object of some sort, and we still often talk about it in the same way as we talk about causal


101

processes in physical objects. In question vi, while the particular voodoo practice has an intended function and the voodoo practitioner is likely to give a causal account, it is not something we would believe in. Let us first consider particular cases from this list that correspond to physical phenomena. If we interpret the term “function” not in the sense of an intended state, but in the sense of a role or state of interest, it becomes apparent that the casual accounts that are needed to explain the phenomena are of the same type as those we are attempting to capture in CPDs. That is, we are interested in explaining the occurrence of a distinguished slate of interest: in i, the device reaches a state corresponding to the intended function, in ii, the cellular mechanisms reach a cancerous state, in iii, a collection of water molecules with certain properties reach a state corresponding to forming rain, and in iv, the body reaches a state in which invading organisms are destroyed. The functional state in an artifact is simply a type of distinguished state of interest. In the case of abstract systems such as programs (question v), we still have components (modules in programs), their functions (i.e., identified roles to play in the achievement of the goal), and structure (control structures for programs that define how the modules are invoked and how their results are used). We talk about program states changing as a result of certain operations. Allemang (1990, 1991), and Allemang and Chandrasekaran (1991) construct FRs and CPDs for computer programs. Discussions of the metaphysics of how notions of a causal process may be applied to mathematical objects such as programs are beyond the scope of the present article. At least formally, however, the FR machinery is both applicable and useful. Question vi is interesting in another way. The causal story it tells is, at least according to the lights of science, a false one. But what is interesting is that such an explanation has the same logical structure as the causal story that a scientist would construct for a natural phenomenon. The explanation of the voodoo process probably goes something like “Sticking of the pin causes such and such spirits to be awakened who, in turn, do such and such things. . .” If asked for an explanation of each causal transition, explanations are likely to appeal to the functions of the various spirits, some recognized causal process in the voodoo theology or some recognized domain relations. That is, what makes the voodoo explanation false is not the form or logic of the explanation, but the phenomena that are appealed to in the explanations. The point of the above discussion is that the underlying framework for capturing the logic of a causal mechanism explanation has broader applicability than just to engineered artifacts. The framework itself can be thought of in terms of an explanation of how certain distinguished states of

102

6. CHANDRASEKARAN

interest are, or are not, caused, and what roles the parts of the configuration play in this process. When we design an artifact with a function in mind, we want to create a configuration that can reach states satisfying the predicate corresponding to the function of interest, and we want the various parts of the device to play certain causal roles in this process. When we debug an artifact that is malfunctioning, we want to know why the configuration is not reaching certain distinguished states of interest. But, even in the engineering domain, the logical form of the explanation of the causal processes is itself independent of the notions of desired or undesired functions. In what follows, we will in general speak of engineering artifacts and their intended functions, but it should be kept in mind that many of the points we make can be restated with respect to the general problem of understanding the causal processes of configurations, whether physical or abstract.

4.4 Applications of FR The FR framework in its various forms has been used for a variety of problem-solving tasks. In this section, I review, in varying detail, a number of these tasks.

4.4.7

Generating Causal Explanation by Simulation’

The Problem Statement. Consider the following problem. Given a set of observations and a diagnostic hypothesis, construct an explanation of how the hypothesized malfunction caused the observations. That is, construct a set of causal stories each of which starts with the hypothesized malfunction and concludes in one or more observations. In the following, I describe the work of Keuneke (Keuneke, 1989) on the use of FR for solving this problem. Technical definitions of a few terms may be useful:

Observations. Observable state variables. Some of the observations are called symptoms, which are abnormal state variable values indicative of malfunctions that trigger the diagnostic process, e.g., specification of a drop from normal pressure. Malfunctions are observations that correspond to device-level functions that are not being delivered. (Malfunctions are symptoms as well.) The rest of the observations give information about the

’

This section is adapted from Tanner, M. C., Keuneke, A. M., and Chandrasekaran, B. (1993). Explanation using task structure and domain functional models. In Second Generation Expert Systems (J. M. David, J. P. Kriviner, and R. Simmons, eds.), Springer-Verlag, pp. 596-626.


103

state of the device, but are not immediately classifiable as abnormalities. Most observations on a complex system are of this type. Diagnostic hypotheses. These are malfunctions of components or missing (but expected) relationships between components. A missing relationship would eventually result in the enclosing subsystem turning into a malfunctioning component. Causal explanation. A CPD that starts with a diagnostic hypothesis and concludes with one or more observations that are to be explained. The explanation sought can be formally stated as follows: diagnostic hypothesis

--*

x1 --*

...xi

--*

‘*‘xN

‘*‘

where each xi is either (1) a state that is causally relevant to producing an observation, but is itself not a malfunction, (2) a component or subsystem malfunction, or (3) an observation at the device-level.6 In Keuneke’s work, the diagnostic hypothesis is assumed to have been generated by some form of “compiled” reasoning, and FR is used to check whether the hypothesis makes causal sense.

Generating the Malfrrnction Causal Chain. The organization of a functional representation gives both forward and backward reasoning capability, i.e., it can trace from the hypothesized malfunction to observations (forward), or it can trace from observations to the hypothesized malfunction (backward). This section describes an algorithm that demonstrates the forward simulation potential.’ Specifically, if a device A is malfunctioning, devices that use device A (say devices B and C) have a high probability of malfunctioning as well. Similarly, devices that use B and C may malfunction as well, etc. The malfunction causal chain is achieved through the following algorithm, which we have condensed in order to illustrate the main points. 1. Set Observations to the symptoms to be explained, and set

HypothesisList to the set of diagnostic hypotheses. Initialize HypothesisObject to an individual diagnostic hypothesis in this set (diagnosed hypotheses and their relationship to observations are considered individually). In some cases (3) could be (2) as well, i.e., they are not mutually exclusive.

’ Note that since the explanation generation mechanism uses expected functionalities and their causal processes rather than all behaviors that could possibly be generated, the problem space is bounded and thus focused.

104

B. CHANDRASEKARAN

2. Identify the function that HypothesisObject names as missing. From the FR of the device, find all functions that make use of this function, and call this set PossibleMalfunctions. 3. For each element in PossibleMalfunctions (call the specific function PossMal) consider the significance of the effect of HypothesisObject on the function: If no effect on PossMal then remove from PossibleMalfunctionsHypothesisObject is not causing future problems. Consider the next element in PossibleMalfunctions. Else maintain (Malfunction -+ Malfunction) explanation chain; HypothesisObject is now known to cause a malfunction to PossMal. Specifically HypothesisObject -, PossMal is appended to chain. Note that this step will ultimately place any potential malfunctions in a malfunction chain, including those that are in the set of Observations. Continue. 4. Check the states in the causal process description of the affected

PossibleMalfunction. Would noncompletion of these states explain any symptom(s) in Observations? If yes, append to ExplainedSymptoms and print the chain that led to this symptom. Complete the malfunction explanation chain by continuing. 5 . Set HypothesisObject to PossMal. 6. Repeat the process from Step 2 until all symptoms are in ExplainedSymptoms or the top-level causal process description of the device has been reached. 7. Repeat from Step 1 until all elements of HypothesisList have been considered. Step 2 is easily accomplished through the component hierarchy of the functional representation (see example to come soon). Steps 3 and 4 are more intricate and involve knowledge of function type (such as whether it is T o - M a k e, T o - P r e v e n t , etc.) and the achievement of the intended causal processes. For example, in Step 3, to determine the effects of a malfunction on other functions, one must consider the possible consequences of the malfunctioning components. In general, the malfunction of a component in a device can cause one or more of the following three consequences: 0

NOT Function: the expected results of the function will not be present. Given that the malfunction is not producing the expected results within


0

0

105

the causal process, what states in those causal processes will not occur? And, will the lack of this functionality result in malfunctions of functions in which the malfunctioning component was used? Parameter Out-of-Range: the expected results of the function are affected, but the function is still accomplished to a limited degree. Sometimes components may be considered malfunctioning yet can still perform the function (or value of some substance parameter) to the extent needed for future use. New Behaviors: The malfunction results in behaviors and states that were not those intended for normal functioning.

The determination of whether a proposed malfunction can explain a symptom, Step 4 in the explanation algorithm, can be established by a number of means. The following is a nonexhaustive list: 1. Check each state in the causal process description in which the

malfunctioning component is used to see if there is a direct match between a symptom and not achieving an expected state. 2. Check to see if the function that is malfunctioning has an explicit malfunction causal process description and if the symptom is included therein. 3. Check to see if side-effects of the function’s causal process description refer to variables involving the symptoms. 4. Check each state in the malfunction causal process description and its provided clause to see if expected states point to general concepts or generic classes of behavior (such as leak, flow, continuity) and if the symptom pertains to or is explained by such concepts.

Representation of a Chemical Processing Plant. This section provides the output for a sample explanation in the domain of chemical processing plants (CPP). The hierarchy in Fig. 6 shows a partial representation of the functional components with their intended functions (functions are specified under component names). The top-level function, produce. acid, is achieved by the causal process oxidation shown in Fig. 7. The function hierarchy is generated from the CPDs for the FR of the plant. For example, C P P uses the functional components LiquidFeedSystem, AirFeedSystem, Transfersystem, etc., in the process oxidation, which represents the causal chain used to achieve the function produce. acid; Transfersystem uses the functional components, AirFeedSystem, MixingSystem, etc., in its causal process to achieve the function extraction, and so on.

106

B. CHANDRASEKARAN ControlLiquimlar

controlamount

controlheat rmsnrruContro1Syit.a PresaureCtrl

!

CoRd.n..t.WitMr.u~1syy.tu

LlquidConcCtrl retrieve1 iquid

FIG. 6. Partial functional hierarchy of the chemical processing plant. (From Tanner, M. C., Keuneke, A. M.. and Chandrasekaran, B. (1993). “Explanation using task structure and domain functional models,” in Second Generation Expert Systems (J. M. David, J. P. Krivine, and R. Simmons, eds.), Springer-Verlag, pp. 599-626. 0 1994, Springer-Verlag. Reprinted with permission.)

The Problem

CoolantSystem (identified at the right of Fig. 6 ) is used to provide coolant water to Condenser for transferring heat from the vapor in Condenser (see Fig. 8). Suppose the coolant water has been completely cut off. A diagnostic system has concluded that a malfunction of the function provide. coolant of CoolantSystem explains the symptoms of NOT (present product external. container) and NOT (temperature rxvessel at. threshold). Specifically, HypothesisObject is provide.coolant of CoolantSystem and the observations to be explained are (NOT (present product external. container), NOT (temperature rxvessel at. threshold) ) . The system produces three casual stories. Causal Story I: Generation of Causal Connections

The causal process SupplyReactants uses the functions retrieveliquid and LiquidConcCtrf,in addition to the LiquidFeed System and AirFeedSystem. The explanation system generates the following:


107

(amount acid belou.threshold)

I

I

By aopp1,PuatuIt.

(present reactants rxvessel) BY PuatMt-ntmat

UIU uoth.PL..ruati~...

-mu:

lamount heat rxvessel increased) Dy: 04.luat&xi&tioll.a.

I

(condition rxvessel sufficient)

produat..~l.(u.r.

(present acid rxvessel)

I

oainglmnation utmotion of Trmnafuryatr

(present product external.container)

FIG7. Causal process oxidation used by function produce.acid. (From Tanner, M. C., Keuneke, A. M., and Chandrasekaran, B. (1993). “Explanation using task structure and domain functional models,” in Second GenerationExpert Systems (J. M. David, J. P. Krivine, and R. Simmons, eds.), Springer-Verlag, pp. 599-626. 0 1994, Springer-Verlag. Reprinted with permission.)

o.ing~onon:*-id..aoolmr O f Coo1.ntny.t..

(surrounded vapor coolant) Q.iDg~~ion:hUt.truI~fu or Coo1.ntay.t-

(temperature vapor decreased) Uru:hut.tr.n.ru/c~w~tion .t d-int

FIG. 8. Remove-heat function of Condenser. (From Tanner, M. C., Keuneke, A. M., and Chandrasekaran, B. (1993). “Explanation using task structure and domain functional models,” in Second GenerationExpert Systems (J. M. David, J. P. Krivine, and R. Simmons, eds.), Springer-Verlag, pp. 599-626. 0 1994, Springer-Verlag. Reprinted with permission.) The symptom NOT ( p r e s e n t p r o d u c t e x t e r n a l . c o n t a i n e r ) i s e x p l a i n e d b y t h e f o l l o w i n g chain: NOT p r o v i d e . c o o l a n t causes m a l f u n c t i o n i n condense causing malfunction i n r e t r i e v e l i q u i d causing malfunct i o n i n L i q u i d C o n c C t r l causing problems i n b e h a v i o r S u p p l y R e a c t a n t s which i s used i n b e h a v i o r o x i d a t i o n and i n d i c a t e s m a l f u n c t i o n o f t h e t o p l e v e l f u n c t i o n and results i n NOT ( p r e s e n t p r o d u c t e x t e r n a l . c o n t a i n e r )

108

6. CHANDRASEKARAN

The idea here is that if the required amount of reactants is not available, the product is not produced as desired and, thus, can not be retrieved. The explanation system generates this chain by means of the following information: provide. coolant caused a malfunction in condense because it caused a failure in the behavior of condense. A malfunction in condense caused a malfunction in retrieveliquid because its achievement was required to attain the desired CPD for retrieveliquid. retrieveliquid caused a malfunction in LiquidConCtrl because it was needed to provide the preconditions for LiquidConcCtrl and it preceded the use of LiquidConcCtrl in the behavior SupplyReactants. SupplyReactants was used in the causal process Oxidation (see Figure 7), to achieve the state (present reactants rxvessel). This state was necessary for the completion of the CPD and thus nonachievement here denotes nonachievement of further states in the CPD, particularly NOT (present product external. container). Causal Story 2: The Use of Side-Effect Inspection

The explanation system continues and finds a causal connection for the second symptom, NOT (temperature rxvessel at. threshold). T h e symptom NOT ( t e m p e r a t u r e r x v e s s e l a t . t h r e s h o l d ) i s e x p l a i n e d by t h e f o l l o w i n g c h a i n : NOT p r o v i d e . c o o l a n t c a u s e s m a l f u n c t i o n i n c o n d e n s e

causingproblemsinbehaviorremoveheatoffunctioncool.

Since cool is not a top-level function of the chemical processing plant, the trace continues until all consequences are determined. T h e symptomNOT ( t e m p e r a t u r e r x v e s s e l a t . t h r e s h o l d ) i s e x p l a i n e d by t h e f o l l o w i n g c h a i n : NOT p r o v i d e . c o o l a n t c a u s e s m a l f u n c t i o n i n c o n d e n s e causingmalfunctionin coolcausingproblems i n behavior compensate.oxidation.se, a n o t a b l e s i d e e f f e c t b e h a v i o r usedinoxidationand indicates NOT ( t e m p e r a t u r e r x v e s s e l a t . t h r e s h o l d )

Notice that this explanation identifies that the symptom was observed in a side-effect behavior (compensation for effects of the reaction), rather than a behavior of the main functionality (production of acid). Causal Story 3: Using Subfunction Connections for Causal Focus

A final statement is made when the system has inspected all the relevant causal chains. The final causal path is achieved via causal connections obtained specifically through the knowledge of subfunctions. In its specification, the function extraction has a P r o v id e d clause that specifies that


109

the solid acid slurry must have the proper consistency so that flow through the extraction tube is possible. The function SolidConcCtrl is present in this device for the sole purpose of producing these conditions for extraction. The purpose of SolidConcCtrl is to keep the solid suspended and maintain the concentration in the reaction vessel at the proper consistency. In the CondensateWithdrawalSystem, the retrieveliquid function uses Condenser to retrieve the condensate from the vapor produced. The MixtureLevelCtrl function then uses a feedback controller to maintain the flow and, thus, the desired amount of liquid in the reaction vessel-which ensures that the acid slurry has the proper consistency. If the liquid is not retrievable, then, obviously, the condensate flow cannot be controlled and the consistency of the acid in the vessel is not maintained. The explanation system provides this explanatory story as follows: One f u n c t i o n a f f e c t e d b y p r o v i d e . c o o l a n t i s S o l i d ConcCtrlwhich i s a necessary subfunctionof e x t r a c t i o n . T h e s y m p t o m NOT ( p r e s e n t p r o d u c t e x t e r n a l . c o n t a i n e r ) i s e x p l a i n e d b y t h e f o l l o w i n g c h a i n : NOT p r o v i d e . c o o l a n t causes m a l f u n c t i o n i n condense c a u s i n g m a l f u n c t i o n i n r e t r i e v e l i q u i d causing malfunction i n M i x t u r e L e v e l C t r l causing malfunction i n SolidConcCtrl causing malfunct i o n i n e x t r a c t i o n causing malfunction i n produce.acid causing NOT ( p r e s e n t p r o d u c t e x t e r n a 1 . c o n t a i n e r ) Discussion

The intrinsic limitations of a functional representation for explanation arise from its intrinsic limitations for simulation. The representation uses prepackaged causal process descriptions that are organized around the expected functions of a device. Simulations of the malfunctioning devices are thus limited to statements of what expectations are “not” occurring. This limitation affects the capabilities for explanation in two significant ways. First, the functional representation is not capable of generating causal stories of malfunctions that interact unless the device representation has this interaction explicitly represented. Similar problems regarding the interactions of malfunctions arise in diagnosis (Stricklen et al., 1985). Secondly, “new” CPDs, i.e., CPDs that are not those intended for normal functioning, but, rather, arise due to a change in device structure, could potentially lead to symptoms that cannot be explained using the functional representation. Additional research focusing on how a functional organization might be used to determine these new behavioral sequences, in addition to determining how conventional methods of qualitative reasoning may be integrated, is needed.

110

B. CHANDRASEKARAN

4.4.2 Parametric Simulation Let us say we have a CPD associated with the function

~I-"..-+s.--'...

SF

where sI is the initial state and , s the functional state desired. This CPD packages a simulation sequence. If all the conditions for sI and the next transition are satisfied, the partial state corresponding to its successor will be achieved and similarly for the next transition, and so on. The nodes in CPD and the conditions on the links may be represented parametrically. In that case, CPD becomes a parametrized family of behaviors. Specific behaviors can then be derived for particular situations represented by a particular set of parameters. DeJongh (1991) uses the idea of parametric simulation to reason about classes of functional systems in the domain of blood typing and testing. The members of the class follow the same causal process, but differ in the various parameters associated with the values of the variables. For example, the way that the function of preventing spontaneous agglutination is achieved by the red cells is represented parametrically. Similarly the class of test procedures is also represented as a class of devices that use specific causal processes to achieve the test functions. Stricklen and his group (Pegah et al., 1993) have been most active in developing techniques for the use of FR in simulation. Each CPD is a prepackaged simulation sequence of states of interest in some context, and, in that sense, tracing a CPD represents a limited form of simulation. However, the very fact that CPDs are organized with respect to goals of interest provides advantages in many simulation problems. In particular, when FR represents a class of devices (or a class of contexts and initial conditions), CPD and the hierarchical organization implicit in FR make possible efficient situation-specific and goal-directed simulation. Suppose that a device has a number of functions, each with different P r o v i d e d clauses, i.e., the different functions are invoked under different conditions. Note that a similar situation might prevail with respect to the components of the device, i.e., each of the components might have its own function, and each function might have its own distinct P r o v id e d clause(s). Let us also assume that FR is represented parametrically, i.e., the partial states and the various conditions in the CPDs include parameters corresponding to structural parameters that can be instantiated to specific versions of the device. Stricklen describes an algorithm that, in outline, works as follows: 1. Given the operating conditions and the parameters, the simulator


111

starts with top-level functions and identifies all the functions whose P r o v id e d clauses are satisfied. Any missing or altered functions can also initialize the simulation. If one function uses another function as part of one of its links, the calling function is included, but not the called function. 2. Using the specific parameters and the conditions, top-level CPDs of the functions that are chosen in Step 1 are instantiated. Note that this does not merely copy CPD. Some of the paths in CPD may not be taken because the conditions for the links are not satisfied, either because of the conditions in the P r o v i d e d clauses of functions that are called or because the functions are otherwise not available. Instantiation of CPD for the specific situation constitutes a Particularized State Diagram (PSD). 3. Any link in CPD with a B y - C P D or a B y - F u n c t i o n annotation can be expanded by accessing the referenced CPD or the CPD of the referenced function, and instantiating it by means of the values of the parameters and eliminating inapplicable paths. This now produces a PSD at another level of detail. The process can be continued to as great a degree of detail as necessary. As PSDs are built up, the values of the state variables are appropriately updated. Thus the simulation itself is available in a hierarchical fashion to many levels of detail, mirroring the functional decomposition of the device. Pegah et al. (1 993) describe the simulation of the fuel transport system of an F-18 aircraft using this technique. Sticklen et al. (1991) also describe the process of integrating qualitative and quantitative simulations in an FR framework. Basically, the transitions in CPD help the simulation system focus on the particular quantitative equations that are to be used in the actual computation (see also Sun and Sticklen (1990)). Toth (1993) has recently shown how FR may be used as an organizing principIe for intelligent simulation so that the computational effort in simulation can be allocated in response to goals. For example, in a structural engineering problem, we might be interested in knowing if the stress in some element is going to be more than the maximum allowed. Engineers reasoning about such problems typically combine quantitative and qualitative techniques. By using purely qualitative techniques, many could be ruled out, helping to zero in on a member with a high likelihood of excessive stress. Numerical techniques could then be used to make precise computation of the stress in restricted parts of the original structure. Toth shows how the CPD of devices may be organized to include pointers to both qualitative and quantitative methods of computing the state variables involved in causal transitions.

112

B. CHANDRASEKARAN

4.4.3 Diagnostic Reasoning Davis (1984), Fink and Lusth (1987), and Steels (1989) are among a number of authors who have used functional notions explicitly in diagnostic reasoning, though work in this vein does not include the relationship between functions and causal processes that our own work on FR elaborates. In the use of FR in diagnosis, the causal process description plays an important role.

Simple Use of FR in Diagnosis. The first application of FR was in diagnostic reasoning. In Sembugamoorthy and Chandrasekaran (1986) a diagnostic knowledge structure was compiled for an electronic buzzer from its FR. The diagnostic knowledge structure was a malfunction tree, with a set of diagnostic rules for each of the malfunctions. Sticklen (1987) used a similar idea, but in his problem the diagnostic knowledge structure was incomplete. He used FR to generate the diagnostic knowledge that was needed for a diagnostic situation. The distinction between the use of FR for generating a complete diagnostic knowledge structure in advance versus only fragments of diagnostic knowledge as needed for a problem instance could be described as a distinction between compilation and interpretation, but this distinction is not my focus here. The various issues in applying FR in diagnosis are explored in Chandrasekaran et al. (1989), Sticklen and Chandrasekaran (1989), Sticklen el al. (1989), Sticklen and Tufankji (1992) and Sticklen et al. (1993). The central idea for diagnosis can be summarized as follows. For simplicity, let us first consider a CPD in which each transition has only one annotation

n,

By-functionF-of-componentc

’ n2

Suppose the device is in partial state n, , i.e., the device is in a state that satisfies the predicates corresponding to n, . Suppose we test the device and observe that the device fails to reach n,. What conclusions can we draw? Because the CPD asserts that the device goes from partial state n, to n, because of the function Fof component c, we can hypothesize that the failure to reach n2 is due to the component c not delivering the function F. Corresponding to this transition we can identify one possible malfunction state “Component C not delivering function F.” The diagnostic rule, “device satisfies n, but not n,,” can be used to establish this malfunction mode of the device. If the annotation had, instead, been B y - C P D CPD-1, where CPD-1 is a specific CPD, we could similarly examine CPD-I to see why this transition failed (some transition in CPD-I will fail if the transition from n, to n2 failed). Ultimately, we can identify some function of some


113

component that would have to be responsible for the failure of the device to reach n,. There is no malfunction corresponding to a transition with the annotation By-Doma i n- La w; a domain law cannot fail to hold. Of course, the designer’s account of the role played by the domain law could be incorrect, but we are assuming here that the FR itself is correct. How to verify the FR itself is an interesting issue in its own right, but is not the subject of the current discussion. The technique of identifying a component malfunction either directly from the annotation B y - F u n c t io n or by recursive application of By C P D leads to a diagnostic tree that will have as tip nodes the malfunctions of components or subcomponents. The diagnostic rule for each malfunction will be composed of rules of the form, “If the predicates corresponding to node ni are true, but those corresponding to nj are not true, then establish the malfunction.” What happens when we have more than one annotation, e.g., as in Fig. 5 where the transition appeals to more than one function? In this example, the transition can fail because pipe2 is blocked, its thermal (heat exchange) function fails, or because the conditions in the qualifiers are not satisfied. In this case, the failure of the transition can only identify these as possible malfunctions, but cannot establish them. Additional information will be necessary. Not all diagnostic knowledge can be derived from design information alone. For example, rank ordering of diagnostic hypotheses in terms of likelihood and pursuing them in order of most to least probable is quite common in diagnostic reasoning. But this ordering requires knowledge of the probabilities of failure for the components. This information is not derivable from a causal model of how a device works. Additional information in the form of failure rates is needed. Conversely, not all diagnostic knowledge derived from causal models is directly usable, since some of the variables mentioned in the diagnostic rules generated from the causal models may not be directly observable. Additional inference may be required. For example, in medical diagnosis, from an FR of liver functions, one might derive the diagnostic rule, “If bile is generated in the liver but is not delivered to the duodenum, then establish ‘blockage of bile duct’.” However, “bile in the duodenum” is not directly observable. Additional reasoning about the consequences of bile in the duodenum, perhaps by using FRs of other physiological mechanisms, can result in observable tests that can then be used as diagnostic knowledge. DeJongh (1991) discusses the use of FR-like simulations of physiological mechanisms (like the “Prevent-agglutination” function of red blood cells) to verify abductive hypotheses in a blood typing system. His work is

114

B. CHANDRASEKARAN

significant in that both the compiled diagnostic problem solving as well as the causal simulation using FR is done in a uniform formalism of problem spaces in the Soar (Laird et al., 1987) framework. This enables him to use Soar’s chunking mechanism to transfer the results of causal simulation to the compiled diagnostic knowledge structure. Debugging proposed designs in design problem solving involves a form of diagnosis. Stroulia et al. (1992) discusses the use of FR in this task.

Debugging Computer Programs. Allemang (Allemang, 1990, 1991; and Allemang and Chandrasekaran, 1991) considered the problem of understanding how computer programs work. Computer programs have components just like physical devices, with modules at higher levels, and programming language statements at the lowest level. We can arrive at an understanding of how a program functions by building a process description. Because one of the basic principles behind FR is that the way in which a component achieves its functions is irrelevant to understanding its role in a device, in fact the component may be replaced by another that provides the same functionality, an FR actually does not represent a single device, but a class of devices that share the same functional breakdown. Allemang proposed that an FR in the programming domain would correspond to several programs, all sharing the same strategy. Proofs of correctness of these programs would share many features in common as well. In that sense FR can be viewed as an organization of the proofs of correctness of this class of programs. The partial states in the CPD of an FR correspond to intermediate formulas that appear in all the proofs. Typical examples of these states of computation include assertions about values of variables and loop invariants. In this section, I will use some examples from Allemang (1990) and Allemang and Chandrasekaran (1991) to illustrate FR of programs. See also Liver (1993) for application of FR to programs in the domain of telecommunications.

An Example of a Functional Representation of a Program. Consider the problem of moving the contents of each element of an array between indices k and n - 1 to the next higher position, that is, V i E [ k , n -11, a[i + 11 = #a[il (#a denotes the original values of the array a). At the end of the program, a[n] has the value that used to be at a[n - 11. Three possible solutions to this are shown in Fig. 9. The first solution iterates backwards over the relevant fragment of the array, moving the element with the highest index (n - 1) into place first, leaving room for the next-to-last element, and so on. The second solution attempts to move the element with least index (k) first, but is buggy, since this clobbers the


i ..-n-1 while i 2 k do a(i + 1) := a[i] j

end

.-i-1 .-

i

115

:= k

temp := a[E]

i := k

-

while i 5 1-do a[i + t] := a[i] i:=ifl end

while i 5 n

- 1 do

:= a[i + 1J + 1) := temp temp := save suve a[i

i:=i+l end

FIG. 9. Three solutions to the shift problem, including one incorrect solution (center). (From Allemang, D.. and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Based Software Engineering Conference, 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)

contents of the next array location. The final example is a corrected version of the second case, in which some auxiliary variables have been introduced to take care of the value clobbering problem. We have some knowledge about a large range of solutions to this assignment, including the three solutions given above. We know that the solutions must treat data in a conservative way, that is, data must not be overwritten. The solutions must move the data within one data structure, rather than construct a new one by iterating through the set, treating each element individually. How can we take advantage of such knowledge to help to recognize when the actual code is correct? We begin by representing them with the same FR. All three of these programs cover the set of relevant indices of the array with the index i ; for each element covered by i they move the current element up one place in the array. These two operations are coordinated by the overall structure of the loop. Notice that the programs differ in the choices they make for each of these functions; the first program counts down the set while the others count up; the first two simply move the value to the appropriate place in the array, while the third uses a more complex swapping solution. This suggests three devices in the functional representation; the index, the mover, and the loop. The role of the index in this problem is to cover the part of the array that is of interest. It does this by (1) starting somewhere in the set; (2) moving from one item in the set to another; and (3) checking when it has covered the entire set. This suggests three functions for the index variable. These, along with some samples of code that could support these functions, are shown in Fig. 10. Two options for the index are specified; one each for moving up and down the set. We will use the notation U(i) to refer to the part of [k...n - 11 visited so far by the index; for ascending index, V(i) = [k... i - 11, for descending index, V(i)= [i + 1 ... n - 11 (by convention, V(i)never contains i).

116

B. CHANDRASEKARAN

Device indet Function sfari IfT ToMake ?indet = u By e.g., ?indez := n - 1 ?indez := k Function nezt If ?indez =?z ToMake ?indez = v(?z) By e.g., ?indm :=?indez 1 ?indez :=?indez + 1 Function check If ?indez E [k..n 11 ToMake (?indez E U) By e.g., ?indez 2 k ?indez 5 n 1

-

-

-

FIG. 10. Functional representationfor the index. The actual starting point u and next-value function v differs for the two options (ascending and descending). For the ascending option, v(i) = i + I and u = k; for descending, v(i) = i - 1 and u = n - 1. (From Allemang, D., and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Based Software Engineering Conference. 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)

The role of the mover in this program is to guarantee that if the previously visited cells in the array have been moved correctly, then all the cells, including the current cell, have been moved correctly. It has one function to do this, which in Fig. 11 is called move. In the figure, r is the predicate on subsets of [k . n - 11 that asserts that all cells in a subset have been appropriately moved, and that no others have been moved. For use in a correctness proof, r is defined by

..

...n - ~ I \ s , a ~ =i#atii a[j + 11 = # a b ] Vj€S,

r(s)= v

j [k~

(1)

Because of the possibility of a mismatch between some choices that might be made for index (e.g., ascending) and this definition of the mover, it is not possible to justify the part of the proof corresponding to this function, i.e., (r(U(?ind~u)))a[?index + 1J := a[?index] {T(U(?index)))

(2)

before knowing the details of the actual program. Thus, in order for this FR to be consistent, it would be necessary to place (2) as the proviso for the function move. In Figure 11, a weaker proviso is employed that does not entail the consistency of the FR, but shows the capability of the system to use plausible explanations in place of actual proofs.


117

Device mover Function moue If r ( u ( ? i n d e r ) )A (?indez E u ) ToMake I’(U(v(?indez)))A (empty a [ ? i n d e z ] ) By e.g., a[?indez + 11 := a[?indez] Provided (empty a [ ? i n d e z ] ) FIG. 1 1 . Functional representation of the move function of mover. Such a move requires that the left-hand side be empty, and provides that the right-hand side becomes empty. (From Allemang, D., and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Based Software Engineering Conference, 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)

Finally, the overall loop has the job of coordinating the functions of these two components. It is the loop that sequences the various checks and assignments from mover and index so that the overall task of moving the array fragment is done. A functional representation of the loop is shown in Fig. 12.

Debugging Using Device Understanding. Allemang also discussed the use of FR for program debugging. The debugger matches intentions to programs, and then resorts to a weak theorem prover only when the match cannot be completed. It uses provisos to simplify the job of the theorem prover as far as possible. When presented with the first program in Fig. 9, the debugger determines which choices of navigator and collector match the actual program. We omit the details of this unification process. Since the structure of the FR matches this program quite well, the loop invariant for this induction proof is already known, and the theorem prover only has to verify that the proviso (empty a [ i ] )is satisfied whenever the line a[i + 11 := a[i]is executed. So the debugger presents the following fragment of a proof Presuming that a[n] is empty, loop initialization tells us that i is n - 1. So, at the start of the loop, a[i + 11 is empty. From the previous iteration, the line a[i + 11 := a[i] tells us that a[i - 1 + 11 is empty. The line i := i - 1 tells us that a[i + 11 is empty. Thus, a[i + 11 is empty for the current iteration.

We will skip what the debugger does with the second program, and move to the third one, in which the programmer has introduced three novel lines and added two new variables to the problem. The debugger has no problem recognizing this as a correct program. It finds three lines in the body of the loop where it expected to find just the one line,

a[i + 11

:=

a[i].

First, it notices that the second of these three lines might be able to provide

118

6. CHANDRASEKARAN

Device shi/i loop Function induct

I f v j E [k..n - 1],ab] = lab] ToMake V j E [k..n- I], ab I] = Ila[j] By initialize-and-loop

+

Beliavior ini!ialize-and-loop:

Using Function couer of shifl loop

Function couer If r ( l r ( ? i n d e z ) ) h ? i n d e z =€ U ToMake r ( U ( ? i n d e r ) ) A ? i n d e t $tU By cycle Behavior cycle

// \ r(U ( ? i n d e + ) )

Using of Function indez nezf

Using Function of indez check

r(U(v(?indez)))

(?in&

E U)

Using Function moue of tnouer

FIG. 12. Complete functional representation of the shift loop. (From Allemang, D., and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Eased Software Engineering Conference, 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)

the function expected by the missing line, provided that the variable temp contains the value that was expected on the right-hand side of the assignment, that is, #a[i]. This proviso is treated as any other, and the debugger traces back through the loop to generate the following proof: The line temp := a [ k ]tells us that temp contains #a[k]. The loop initialization tells us that i is k, so at the start of the loop, tempcontains a [ i ] ,


119

From the previous iteration, the line save := a[i + I ] tells us that save contains #a[i + I ] the line temp := save tells us that temp contains #a[i + I ] the line i := i + 1 tells us that temp contains #a[i]. Thus, temp contains #a[i]on the current iteration.

The separation of functions from the process description allows FR to act like a plan representation for programs (Johnson, 1986); the functions specify pre- and post-conditions. The links in CPD index other functions, based on their pre- and post-conditions, just as subgoals index other plans. Allemang goes on to argue how FR provides a way of combining the power of the plan-based representation and the traditional programming language semantics, defining what he calls a functional semantics that allows a debugger to consult a proof of correctness without having to deal with all the complexities of the traditional programming language semantics.

4.4.4 Device Libraries The FR framework leads to the prospect of technical domain libraries of generic devices. Device classes at different levels of system description would be represented along with parametrized structural representation and the corresponding CPDs. Specific device representations can be constructed by choosing, instantiating, and composing elements from the library. In most cases, the FR for a device would simply be an instantiation of an abstract generic device, but in cases where the design is novel, new CPDs could be composed. This device can be abstracted to a generic device and made available for future use. DeJongh (1991) represents classes of devices by parametrized FR descriptions, where specific devices inherit the causal structure though the variables assume the values for the particular device. Pegah el al. (1993) report on the use of device libraries for constructing representations. Toth (1993) outlines the construction of such libraries in an object-oriented framework, and uses such libraries extensively in her work on simulation. Josephson (1993) reports on the use of abstract data types as the basis for building such device libraries. The Kritik system of Goel (1993b) uses a library of about 25 designs for case-based design.

4.4.5 Uses in Design There are a number of design subtasks for which the FR framework is useful (see Chandrasekaran, 1990, for a description of the task structure of design, Goel and Chandrasekaran, 1992 for a more detailed task analysis of case-based design, and Freeman and Newell, 1971, for an early discussion

120

B. CHANDRASEKARAN

of the role of functional reasoning in design). Iwasaki et al. (1993) describe a design framework in which again FR plays an important role. Chandrasekaran et al. (1993) discuss the use of FR for representing causal aspects of a design rationale, i.e., explanations of design choices. Levi et a/. (1993) discuss how FR helps in bridging the processes of planning, execution, and device implementation in planning systems. In this section, we discuss the use of FR in case-based design and in design verification.

Redesign. The need to redesign can come about in a number of ways. For one thing, it is a subtask of the technique of case-based design. In this technique, when a new design problem comes along, a search is made in memory for problems similar to the current one, the “closest” such problem is retrieved, and the design solution for that problem is redesigned, i.e., modified to fit current needs. Redesign can also occur when the use environment has changed and it is desired to modify a device so as to deliver slightly different functions. In either case, the goal in the task of redesign is to modify the artifact so that it meets somewhat different functions. If the required changes in function are drastic, then, perhaps, equally drastic structural alterations will be needed, possibly requiring another design from scratch. However, if the needed changes are slight, redesign can be accomplished by relatively simple modifications to the existing structure, perhaps by parametric changes to the components and substances. In this section, we examine the role of FR in the redesign problem, assuming that the required changes are parametric changes to the components. Redesign has three subtasks: identifying the substructure that requires modification, identifying the modifications that need to be made, and verifying that the changes, in fact, produce the desired changes in function. Taking the last two subtasks first, deciding on the appropriate modifications requires knowledge outside the FR for the device. Perhaps a design library containing FRs of a number of functional assemblies could help. If it is decided that a component or a subsystem of the previous design needs to be changed to reflect a different functionality, an appropriate solution from the library may be available. Regarding verification, Sticklen’s use of FR for parametric simulation (Pegah eta). 1993) is relevant here. As we discussed in the earlier section on parametric simulation, Sticklen shows how FR can be viewed as a form of compiled simulation, and suggests ways in which FR can incorporate information about the behavior of the device over ranges of component parameters. With this information, it is a straightforward process to derive device behavior whenever the component parameters are changed. Let me now get back to the first subtask, viz., identifying the substructures or components that need modification. Use of FR for retrieval and case analysis was first discussed in Goel and Chandrasekaran (1989), and Goel


121

developed the idea in detail in his thesis (Goel, 1989; see also Goel, 1992) where he described Kritik, a system that performs a form of case-based design in the NAC domain. I will describe how Kritik uses FR for case retrieval and analysis. Suppose we wish to modify NAC in order to cool high-acidity sulfuric acid instead of the low-acidity nitric acid. Kritik first compares the desired functions and those actually delivered by the candidate design (NAC). It notes that they differ in (i) the substance to be cooled (su,furic acid instead of nitric acid) and (ii) a property of the substance (high-acidity instead of low-acidity). Since the substance property difference occurs in the function cool (low-acidity) nitric acid, Kritik uses this function to access the CPD responsible for it. A fragment of this CPD, the transition from state2 to state3, is shown in Fig. 5 . Kritik traces through this CPD, checking each state transition in it to determine whether the goal of reducing the substance property difference (low-acidity -+ high-acidity) can be achieved by modifying some element in the transition. For example, in the transition state2 -,s t a t d , it finds that pipe2 has an allow function but it is restricted to low-acidity substances. Kritik has a typology of modifications to device components: (i) the parameters of a component can be “tweaked,” (ii) the modality of operation of a component can be changed, and (iii) one component can be replaced by another component. It correspondingly generates the following modification hypotheses: (i) pipe2 can allow the flow of high-acidity substances in a different parameter setting, (ii) pipe2 can allow the flow of high-acidity substances in a different mode of operation, and (iii) pipe2 has to be replaced with some new-pipe2 that allows the flow of high-acidity substances. How the choice of modification is made is not directly related to functional representation, so we omit a discussion of that issue. The replacement of nitric acid with sulfuric acid is straightforward as is the similar modification needed to handle the difference in functional specification. (See Goel (199la) for additional discussion of case adaptation.) While Kritik is limited to “local” changes in a design, new members in the Kritik family of systems go beyond this restriction. Stroulia and Goel (1992), for example, show how FR-like representations of generic mechanisms such as cascading can help make certain kinds of nonlocal modifications to a design. Suppose, for example, a designer wished to create a device that will be able to cool nitric acid by a much larger range than the device illustrated in Fig. 2. Suppose also that, in addition to the design shown in Fig. 2, the designer knows of the generic mechanism of cascading-replication of a device structure to achieve a larger function. Stroulia and Goel show how the cascading mechanism can be represented in the FR language and applied to replicate the water pump in Fig. 2 to cool nitric acid by a larger range.

122

8. CHANDRASEKARAN

Note that the cascading mechanism is not only device-independent but also domain-independent. Bhatta and Goel (1993) have studied how cascading can be learned from the design of one type of device such as a nitric acid cooler, and applied to design another type of device, such as an electrical circuit. In their work, the FR of the first device, the nitric acid cooler, guides both the learning of generic mechanisms such as cascading, and the transfer of this knowledge across devices and domains.

Design Verification. Let us consider a designer who has just completed a design, i.e., she has put together a description that specifies what components to use in the design and how they are to be connected. Unless the design was done by a very simple process such as table look-up, the designer is likely to have her own explanation of why she thinks the design would work. In our framework, having such an explanation corresponds to possessing a causal story of how the device as designed will meet the functions. The intended behavior of the device as described in the CPD can be verified by simulating the device behavior based on the component descriptions. As we discussed earlier, there are two problems in using component behavioral specifications for device simulation. First, there is a possible gap in the levels of abstractions between the device-level behaviors we are interested in verifying, and the component-level behavioral descriptions. For example, the language in which the behavior of transistors and resistors is described is that of currents and voltages, but a circuit as a whole might be described functionally as an oscillator or as an adder. We could add a number of abstraction rules, but the simulation needs guidance as to which abstraction rules to apply and when. Second, the component models may describe aspects of behavior that may not be relevant for the device-level behaviors of interest. Without guidance from the device-level functional description, the simulation may become quite complex and unwieldy, generating behaviors that do not contribute to design verification. For example, understood as a component, apipe may have two sets of behavioral descriptions, the first based on its capability to support flow and the second based on its thermal properties. If the device function is concerned solely with flow, we would want to use this information to avoid having to deal with the behavior composition of thermal properties. The CPD can be used as follows in the design verification task (Iwasaki and Chandrasekaran, 1992). The predicates that appear in the definition of the nodes in the CPD and the functional predicate, say PF,are the terms that are of interest at the device-level. We first need to define these predicates in terms of the objects and predicates that occur in the definition of components. For example, suppose that the predicate Amp Ii f i c a t i onL e v e 1 occurs in the description of a node in a CPD, and that the component


123

behaviors are in terms of voltages and currents. We first define the predicate in terms of the voltages at the input and output of the relevant components. Once a correspondence has been established between the device- and component-level terms, we need to establish that the partial states corresponding to the CPD nodes occur in the device, and that the transition occurs for the reasons mentioned in the annotation. If the annotation said, “ B y - F u n c t i o n F o f c o m p o n e n t c,” we would want to verify that the component did play the indicated causal role in the transition. We thus have the designer’s CPD and the structural description. We can generate a description of device behavior from a description of the component behaviors using a simulator that composes the behaviors of the components in the structural description. A number of component description and simulation systems have been described in the A1 literature, e.g., Fikes et al. (1991) and Low and Iwasaki (1993). However, as mentioned earlier, this behavioral description will be in component terms. We can then verify that the CPD is supported by this simulated behavioral description, i.e., that the predicates mentioned in the CPD occur in the behavior and in the appropriate causal and temporal relationship. One can imagine using the simulator in two modes. In one, the simulator is run first and the entire set of state variable values for all relevant discrete instants of time, S,(X, ,..., x j , . . x N J ,

t

=

1,2,

...,..T,

where S, is the state vector at time t and xj is the j-th state variable, is generated. (The state vector is simply the set of all the state variables that describe all the components in the device.) This description is a trajectory of the behavior of the device. Once this simulation is available, we can proceed to establish that the CPD is satisfied by the simulation. A second mode is one in which the simulation itself is guided by the CPD. That is, we first verify the initial conditions of the FR are satisfied by the initial values of the state vector. The first transition of the CPD is then used to drive the simulator in relevant directions, i.e., to compute the values of the relevant state variables needed to establish the next node in the CPD and the transition. Once these are verified, the simulation can be guided by what is needed to establish the next node in the CPD, and so on. In order to perform this kind of guided simulation, we need to have component-level simulation techniques that can be used in selected directions. The development of these techniques is one area that is in need of research. The work reported in Iwasaki and Chandrasekaran (1992) uses component simulation in the first mode to verify the CPD. Let us suppose that the

124

B. CHANDRASEKARAN

trajectory of behavior has been generated by the simulator, and that we are looking at a transition from node ni to node nj in the CPD. Verifying that the two nodes are satisfied by the trajectory means showing that there are instants k and I, k 5 I, such that nj is true in state Sk and nj is true in state S,. To prove this, we will resort to the predicates used in the definition of the nodes in the CPD and the abstractions defined between the variables that occur in these predicates and the component-level variables in the trajectory. Even if we have verified that the device (in simulation) has gone from node n, to n2, we still can’t claim that the transition in the CPD has been verified. We still need to show that the transition was realized as a result of, or was caused by, the reason mentioned in the annotation. For example, suppose that the annotation is B y - F u n c t ion F o f t h e component c. If component c had no role to play in the transition, it is possible that it was not needed, and, in any case, the designer’s account of why the device worked would be incorrect. How to decide if one event causes another is a contentious philosophical issue, but the following weak criterion is sufficient for most purposes: p i causes pi if p i had anything to do with eventually bringing about p i , where pi and p j are predicates in nodes ni and nj,j > i. In Iwasaki and Chandrasekaran (1992) techniques of causal ordering-originally presented in Iwasaki and Simon (1986)- are used to show this kind of relationship between piand p i . Showing that the function of a component causes some aspect of astate to be true requires careful use of the function-type semantics. A slightly different kind of design verification task occurs in the context of incremental modification of a design. Suppose that a designer designs a new device for achieving a desired function F2 by “tweaking” the design of a known device that delivers a function F1 very similar to F2. The designer may now want to verify whether the proposed design for the new device will result in the desired functionality F2. Note that the designer already knows that the old design results in F1. If the designer has access to the FR of the old design, he may modify the FR to reflect the design tweak, and then simulate the revised FR by forward tracing to determine whether the proposed design will deliver the desired function F2. Kritik (Goel, 1989), which designs new devices in this manner, uses this method to verify whether a proposed design tweak helps in achieving a desired function.

4.4.6 Representing Problem Solvers as Devices I earlier described Allemang’s work in representing computer programs in the FR framework and using it to reason about errors. An A1 problemsolving program is, of course, a specific type of computer program, and thus has a device-like representation. Weintraub (1991), Johnson (1993),


125

and Stroulia and Goel (1993) have built systems that use the FR of the problem solvers as a basis for critiquing problem-solving behavior. Weintraub’s system uses this critiquing for credit assignment (actually blame assignment) in learning. Johnson uses it as the basis for student monitoring in a tutorial system for problem solving. Stroulia and Goel use it for self-monitoring, credit assignment, and self-adaptation in the context of a planning system. In all these cases the FR is used as an abstract representation of the strategy of the problem solver, i.e., the goal-subgoal structure of the problem-solving method. Because the problem solvers involved in all these cases use goals and subgoals explicitly during problem solving, the organization of the problem solver has the same function-subfunction decomposition as in the case of devices. In Weintraub’s work, the transitions of the CPD represent the execution of the method’s subtasks. Associated with each transition is a set of error candidate rules. If the problem-solving system that is being critiqued fails to make a transition or makes it with erroneous parameters, the credit assignment system uses these rules to make hypotheses about the sources of error in the problem solver. The FR thus provides an abstract road map of the strategy for the critic. Johnson uses the FR of the problem solver in a similar way to monitor a student’s problem-solving behavior. Stroulia and Goel use the FR for selfmonitoring by a planning system, to generate hypotheses about the causes of error when the planner either fails to produce a plan or the plan fails upon execution, and to modify the planner using generic repair plans. There are some interesting differences between the FRs used by Weintraub, Johnson, and Stroulia and Goel in representing problem solvers. Weintraub uses CPDs in the way we have so far used them for devices and programs: the method is a state transition diagram in which the nodes are partial states at the appropriate level of description. On the other hand, Johnson wants to model problem-solving methods whose behaviors are not completely specified in detail beforehand. Her problem solver is built in the Soar framework (Laird et al. 1987). In this framework a method is specified abstractly as a set of subgoals and some type of “search-control” knowledge, and out of this information an actual search strategy emerges at runtime in response to the specifics of the problem situation. This kind of flexibility is not normally part of ordinary devices and programs, and hence their FRs have their CPDs completely specified in advance. On the other hand, the goal of the Soar framework is to build flexible problem solvers, i.e., problem solvers that are not committed to a fixed procedure to achieve a goal. Only a high-level strategy is specified and the detailed behavior is determined at run-time. Johnson represents CPDs solely by their subgoals together with some general knowledge of the constraints on sequencing them. The following example illustrates this situation.

126

B. CHANDRASEKARAN

The specification in Fig. 13 says that Goal B can be achieved by either of the two methods B1 or B2. Method B1 has two subgoals to be achieved in a specified order, while method B2’s subgoals can be achieved in any order depending upon the circumstances. In the case of B2, this abstract representation actually corresponds to six distinct sequences and, hence, is a more compact representation. Stroulia and Goel’s Autognostic system (Stroulia and Goel, 1993), uses FR to describe the reasoning process of a robot planner. Autognostic uses the FR model to monitor the planner’s problem solving in a manner similar to Johnson’s. If the planner fails to produce a plan or if the plan it does produce fails upon execution, then, as in Weintraub’s work, Autognostic uses the FR model of the planner to assign blame and generate hypotheses as to the causes of failure. The process of blame assignment, however, is different. In Weintraub’s work, transitions in the CPD are annotated by associative rules that indicate the likely sources of error. In contrast, Autognostic uses the derivational trace of problem solving in conjunction with the FR model to identify the sources of error. A major aspect of this work is the redesign of the robot planner after the causes of failure have been identified. The FR model provides a vocabulary for indexing repair plans that correspond to different types of failure causes. In addition, the semantics of the FR model enable a modification of the planner in a manner that maintains the consistency of problem solving.

4.4.7 Representation of Scientific Theories Darden (Darden, 1990, 1991, 1992; Moberg and Josephson, 1990) has used FR to represent scientific theories and to capture certain aspects of theory change in science. FR is a natural medium for the representation of theories, especially in domains such as biology and geology where the objects of study are causal processes. Debugging a theory is akin to debugging a mechanism. Function: To-achieve B

Method B1:

I f : Desired R-B

Goals: F. G

By: Method B 1 or Method 82

Control: F precedes G Method 82 Goals: H, I. J Control: No prior constrainls

FIG. 13. Goals, multiple methods, and method selection information.


4.5

127

Generating FRs for New Devices

In all of our discussion so far, we have assumed that the designer or someone else has constructed an FR for the device that is being reasoned about. For diagnosis and simulation, the FR is assumed to be given, and the reasoning mechanisms produce diagnostic knowledge or a simulation of the device. For design verification, the component-level simulation mechanism produces a simulation of all the state variables at the component level, but the FR as proposed by the designer is matched to the simulation to see if the CPD in FR is supported by the generated behavior. Human experts, however, are often able to construct functional representations of devices they have not seen before in their domains of expertise. For example, if a circuit is shown to an electronic specialist, she might, after some hypothesismaking and verification, identify the circuit as, say, an amplifier and proceed to explain what components play what role and how she thinks it works as an amplifier. I remarked earlier that, given a structure, i.e., a set of components connected in some way, the FR of the device as a whole is determined partly by considerations that are outside the device itself. The levels of abstractions of device-level variables, i.e., the terms of description, are determined both by the problem-solving goals and by what can be supported by the componentlevel descriptions. Given a circuit with two resistors in parallel, a possible device-level hypothesis is that one of the resistances is providing a current shunt, and an FR that focuses on that aspect can be constructed. Two loads in parallel is another possibility, and an FR that reflects that situation is also possible. If the goal is to construct an FR as intended by the designer, some form of “best explanation” reasoning may, in general, be necessary. That is, a form of abductive reasoning is employed in which, using a number of cues, a hypothesis is drawn regarding the intended function of the device and a corresponding FR is constructed. One approach to constructing an FR for a device is to adapt the FR of a similar device, if such information is available in memory. The Kritik system of Goel (1991b) explores this method. Prabhakar and Goel (1992) investigate how the process of adapting the FR of a known device to obtain the FR of a new device can be facilitated by FR-like representations of generic physical processes and mechanisms. For the more general version of the problem of constructing FRs for novel devices, Thadani and Chandrasekaran (1993) propose a set of techniques, and Thadani (1993) has built a system that does this in the domain of passive electrical circuits. A central idea is that expertise in domains partly consists of structure-function-CPD templates at various levels of description. These templates consist of structural skeletons, functions that they

128

B. CHANDRASEKARAN

can help achieve, and an abstract CPD that describes how the structural skeleton might achieve that function. Such phrases as “skeleton,” “template” and “abstract” are intended to indicate that the templates and the CPDs may refer to classes of objects and behaviors, and also may not have all the details filled in. They may simply be organized fragments of knowledge of the domain, fragments embodying pieces of understanding about structural configurations and their relations to various functions. As a new physical situation is presented, the reasoning proceeds as follows. Templates from memory are matched to the description. All the templates that match parts or the whole of the device are retrieved and ranked according to the degree of match. Templates that have the highest degree of match are considered first. The templates are instantiated with as much detailed information from the device as available. Instantiated CPDs may suggest additional hypotheses as to the possible roles of other structural parts. These hypotheses may be partially or completely verified by checking the conditions associated with the selected CPDs. The hypotheses may also be verified by simulating the CPD with instantiated parameters, but the current implementation does not use any simulation. In this process, additional hypotheses might be generated about the possible role of other structural parts. To use an example, let us suppose that the original structural description of a circuit is in terms of resistors and voltage sources. Suppose that as a result of template matching and additional verification, portions are labeled as voltage dividers and current shunts. The hypothesis of a shunt might be accepted or rejected based on typical values of the resistors in the shunt and whether the resistors in the device satisfy the typical relation. In another example, the CPD for a hypothesized template might have a transition based on some function of a component. We can now check to see if there is structural evidence of the component. If there is, that component structure is so labeled. If there is no evidence, the template is rejected as inapplicable, along with the corresponding hypothesis as to the structural fragment. The surviving CPDs are used to generate hypotheses as to the balance of the device. If the predictions are confirmed, that part of the device is labeled with the function from the template. When the cycle of identifications and verifications is concluded, we may have a set of alternate hypotheses for parts of the device. Each consistent set of interpretations produces different labeling of the parts of the structure. Relabeling for a specific interpretation changes the structural description, raising the level of abstraction at which the structure is described. There will be such a relabeling for each of the alternative set of interpretations. This relabeling enables a new round of matchings to be activated, and a new set of structure-function templates to be retrieved. Because of the


129

constraints that arise with each such hypothesis, a number of earlier alternatives would typically not survive, but perhaps other alternatives at this higher level might be constructed. In any case, this process is repeated at each level. From the level of resistors and transistors, configurations at the level of voltage dividers and amplifiers may be hypothesized. At the next level of reasoning, the higher-level structural description might enable the reasoner to identify higher-level functional units, aided by templates in the knowledge base that relate structures at this level to higher-level functional units. Each stage prunes away some of the hypotheses from the previous levels, and might add a few hypotheses, but, in general, with a sufficient body of domain knowledge in the form of templates and their constraints, the number of possible interpretations contracts to a small number of highly plausible and consistent ones. This picture of top-down recognition alternating with bottom-up hypothesis verification is one which, I think, models our general reasoning about the behavior of the physical world. In this view, we are armed with a large library of skeletal FRs that relate behaviors, structural constraints, and CPDs at various levels of abstraction in a given domain. Our knowledge of the world is, as I said at the beginning of the paper, in the form of such causal packages. Use of a large repertoire of FRs, spanning multiple levels of abstraction and goals, gives the agent the capability for highly goal-directed and efficient simulation of just the relevant parts of the world for predicting behavior.

4.6 Generalization to Nondynamic Causal Structures Most of the devices that we have considered so far in the paper are what one might call “dynamic” devices, i.e., devices whose function is defined in terms of the states and state transitions of the device. The device has an initial state and undergoes a causal process of state changes and reaches states in which the functional specification is satisfied. The exception was our discussion of passive devices that achieve their functions simply by virtue of their structure. We used the example of a flower arrangement serving the function of decoration. Here the notion of causation involves the device’s causal effect on the human agents who happen to be the occupants of the room. As I discussed earlier, presumably one could give a causal process account of how the flower arrangement actually ends up creating a sense of beauty in the perceivers. However, for many such devices, we develop direct mappings from structure to function without involving the causal processes in the user. In any case, the flower arrangement does not itself undergo a causal process. Another example of a passive function is the structural frame that gives

130

6.CHANDRASEKARAN

strength to a structure by distributing loads between its members. Suppose we want to explain how such a structure is able to support a heavy load. Engineers often give a causal account that goes something like: “This member divides the load and transmits each half to these two members, and because of the thickness of the beam, the stress is pretty small.” This is a causal account, and the phenomena involved are intrinsic to the frame, unlike the case in the flower arrangement example. But the account is not a description of a dynamic causal process, i.e., the frame is not described as undergoing state changes over time in order to explain its ability to support the load. Nevertheless, the explanation by the engineer has the syntactic form of a CPD: something in the device causes something else in the device until the function we are interested in (in this case, a relatively low value of the stress) is shown to be caused, thus explaining the function. Each of the transitions between causes and effects in the explanation can be further explained in the way we described for CPDs: by appeals to functions of substructures, other such “CPDs,” or domain laws. For representation and reasoning, the CPDs play the same role as they do in the case of devices with dynamic state transitions. Toth (1993), in fact, constructs FRs and CPDs for mechanical structures and uses them to simulate their properties. There are examples that are not even causal in the way that the structural frame example is, but nevertheless a CPD-like explanation of why it works can be given, and such explanations can be used for predictive problem solving. When we understand the proof of a theorem, we create subproofs that prove various lemmas. We talk about how the assumptions lead to certain conclusions that lead to other conclusions. In the process of explaining how certain conclusions lead to other conclusions, we may appeal to lemmas, (which serve the role of functions of components) or to inference rules of logic (domain laws) or to other proofs (other CPDs). Thus, it appears that the structure of FRs and CPDs captures a general logic of comprehension and explanation, with causal explanations being a special case. Both in the case of the structural frame and in the case of the mathematical proof, the explanation itself has the structure of a process: things are explained one after another, one causing another or one implying another, though, of course, there is no such sequentiality in the phenomena themselves. In the case of the structural frame, all of the stresses and strains are simultaneously in balance, even though the causal account has an inevitably sequential character. In the case of the proof, all the truths about a mathematical domain are eternally true: one conclusion doesn’t cause another conclusion, let alone in a sequential way. So where do the sequentiality of explanations and their formal similarity to causal processes come from in these cases? The answer is that these are


131

descriptions that are generated or used by cognitive agents with a highly sequential deliberative architecture. When we reason about the world, we move from conclusion to conclusion (or hypothesis to hypothesis). The knowledge state of the agent changes as the agent traverses the knowledge space in this manner. In the case of a real world phenomenon with an intrinsic causal process, there is often a mapping from the knowledge state of the agent to the causal state of interest. When one state changes into another in a device, the agent’s knowledge state, as he traces this state transition, changes in a similar way. This ability to make the sequence of knowledge state transitions mirror the causal structure of the world is, in fact, one of the major sources of the power of thinking in dealing with the world, as Craik pointed out in 1943 (Craik, 1967, is a reprint, with a postscript, of the 1943 edition). The power of goal-directed explanation is not restricted to dynamic causal phenomena, as the examples of the structural frame and mathematical proofs indicate. What the explanations capture is an organization of dependency relations in the domain of interest that helps in arriving at conclusions of interest. Causal state change relations are just one form of such dependency relations.

5 . Related Work There has been quite a bit of work in A1 and related areas in trying to understand the relation between the function and structure of devices. The following is a representative but by no means exhaustive selection of such articles in the bibliography: Brajnik elal. (1991), Chittaro et al.(1993), Gero et al.(1992), Hunt and Price (1993), Jordan (1991), Kaindl (1993), Lind (I 990), Navinchandra and Sycara (1989), Malin and Leifker (1991), Umeda et al. (1990), and Welch and Dixon (1992). These authors all build on the intuition that functions are made possible by behaviors and that the properties of components (in the structure of the device) make the behaviors “happen.” Our work is characterized by an emphasis on the representation of the causal processes that underlie the functioning of a device. We also emphasize such issues as levels of abstraction, the integration of the functional and process description into device-specific packages, and the formal representation, and use in a variety of problem-solving tasks, of explanatory annotations. Work like that of Jordan (1991) and Stadlbauer (1991) emphasizes the relationship between shape and function, an issue that we have not been concerned with much in this paper, though, of course, it is an important one. We have also earlier related our work to that of Hodges (1992) by pointing out his attempt to come up with a set of mechanical function

132

B. CHANDRASEKARAN

primitives. One can think of his work as a content theory of function in a shape-based mechanical design domain where shapes play a role in the transfer of force and motion. Abu Hanna et al. (1991) discuss how a functional model is not sufficient for diagnosis and point out that additional information is needed, an observation we also make in our work on diagnostic systems based on functional models (Sembugamoorthy and Chandrasekaran, 1986). Hunt and Price also make points similar to those of Abu Hanna et al., about the need in diagnosis for knowledge beyond a purely functional level. Their device representation uses ideas for the representation of function and structure similar to those we have proposed, but does not have a causal process description. They make the point that the CPD of FR could describe a system’s working incorrectly (after all, it is a theory of how the device works composed by the designer or the diagnostician) and, hence, may lead to incorrect diagnosis, and so prefer to use component descriptions for simulating device behavior. The problems that we have identified regarding levels of abstraction in the description could arise and additional inferences from component-level behavioral descriptions might be needed. An approach based on integrating the FR representation in order to focus diagnostic problem solving, and component-level behavior simulation to derive new behaviors that are not explicitly mentioned in the CPDs can be profitable. In fact, the work that we describe on design verification shows how the FR view and the component simulation view can be integrated. Bonnet (1991, 1992), Franke (1991), and Bradshaw and Young (1991) are closest to the kinds of concerns that we have been dealing with in this paper. Bonnet’s work is actually built on FR and he makes additional representational suggestions, including representations for what we have called passive functions. Franke focuses on representing the purpose of a design modification and not that of the device itself. As in the work of Iwasaki and Chandrasekaran (1992) on design verification, Franke also matches the description of changes in function against a qualitative simulation of behavior changes from component descriptions. Bradshaw and Young represent the intended function in a manner quite similar to FR. The most important difference between the FR work and that of Bradshaw and Young and also that of Franke is the central role that causal process descriptions play in explaining how a function is achieved. Verification of device design involves not only checking that the function is achieved, but also that ‘the device structure played a causal role in the achievement of the function. Borchardt (1993) and Doyle (1988) are also relevant though their specific concerns are rather different from ours. Borchardt wishes to understand how to go from natural language descriptions of causal processes to more


133

precise and complete representations of the details of the process. Doyle’s approach consists of a set of device models for individual physical mechanisms. His program uses a collection of heuristics for synthesizing a device model, from the mechanism descriptions. The hypothesized model is checked by verifying that the appropriate constraints are satisfied. Doyle’s specific mechanism representations employ constraints between variables, while FR additionally emphasizes representation of causal processes. Except for this difference, the work of Thadani and Chandrasekaran described in the paper on constructing device-level FRs has similarities to Doyle’s work.

6. Concluding Remarks We have reviewed over a decade of work on device understanding from a functional perspective. It should be clear from the review that research on causal and functional representations is just beginning. It might be useful to describe a research agenda for the immediate future. We take this up in the next subsection.

6.1 A Research Agenda The specific representational elements and organizing principles in the language developed so far have been applied to relatively simple devices and processes. The framework needs to be exercised and expanded by applying it to a larger variety of phenomena and devices. Following is a list of extensions on which work is either being done or needs to be done in the near future. It is likely that many of these problems and issues can be handled within the current ontology, though assuredly some of these will require additional representational and organizational ideas. i. Functions that arise largely from shape. Suppose we wish to explain how a gear train works. We certainly can give a CPD whose nodes are simply symbolic predicates such as “tooth A exerts force on tooth B.” In fact, the work by Hodges (1992) can be viewed as a catalog of the kinds of influences in force transfer that physical shapes have on each other. However, in the human understanding of this function the shapes of the teeth and the way they mesh together in transmitting the force play an important role. It is important to extend state representations to include components that are shapes, rather than high-level predicates about the effects of shapes. The transitions from shapes to shapes may require appeal to visual or spatial simulation.

134

6.CHANDRASEKARAN

ii. Function-sharing. Clever designs often have components that are used differently to achieve different functions (Ulrich and Seering, 1988). It is true that we can write an FR for each function, but an integrated view of the role of the component would be missing in such a representation. This brings up a more general problem in FR, where, for each explicitly defined function, we can write a CPD that captures how it is accomplished. We also need a higher-level integrative perspective in which these individual functions are seen to be part of a larger function that exhibits a unitary representation. iii. Representation of mutually dependent functions. Suppose, for example, that the car battery system requires that the engine be running regularly in order to keep the battery charged, while running the engine requires that the battery system is functioning normally. We need more experience with FRs that deal with such dependencies. iv. Abstract or generic devices. Part of engineering expertise involves knowledge of device frameworks, not simply specific devices. Examples are electrical circuits, voltage dividers, regulators, and feedback loops. These frameworks can be instantiated in different ways, but we underestand how they work at an abstract level without the instantiation. Building device libraries requires representational and instantiation techniques to be developed for such abstract devices. v. Representation of functions that arise from a large number of individual elements. The interactions of bacteria and white cells can be individually represented (Sticklen, 1987), but, given that there are millions of these entities, it is impossible to reason about them on an individual basis. Gross behavior has to be explained as arising from the behavior of numerous elements without a need to individually representing each of the elements. vi. Problem-specific FR construction. We have been talking as if there is a fixed, possibly parametrized, FR for each device-or at least for each functional perspective-which we retrieve from memory and apply as needed for specific tasks. However, it appears to me that, even for devices that we thoroughly understand, we construct versions of FR that are appropriate for the particular problem-solving task that we face. For example, depending upon what aspects we expect to be reasoning about, we may impose qualitative conditions on state transitions, or we may represent them with a high degree of numerical accuracy. We may explain how a lamp’s filament produces light by appealing to an equation that relates current to lumens, or we may appeal to a CPD that uses the properties of the filament. Further, for each transition in a CPD, we usually include only certain conditions, i.e., those that we think are worth mentioning explicitly, though we may also be aware of a number of background assumptions that


135

are not stated explicitly. For example, if we are explaining that “liquid input at the top of a sloping pipe” causes “liquid to emerge at the other end,” we may annotate it in any number of ways depending upon the tasks that we expect to use the pipe for: B y - F u n c t i o n (conduit) of pipe is one such annotation. But we also assume that the liquid doesn’t evaporate in the meantime, that the pipe’s surface is not too absorbent in relation to the amount of liquid, and so on and so forth. These assumptions are not stated explicitly, but are available to us when we need to think of them for debugging a faulty pipe. This kind of goal-driven construction of the FR is a capability that is important to understand. vii. Need for formalizing different senses of ports. We have mostly discussed devices that are constructed by composing components. The components are, in turn, devices as well, i.e., they have functions that can be analyzed in a way similar to the functions of the device which they are part of. In addition, the devices are modeled as having input ports and output ports. Ports serve two distinct roles that are often conflated. In one role input ports are the places where actions performed by the user invoke the function of the device, while output ports are the places where the device delivers the function. For example, we put fruits into the mouth of the juicer and out comes the juice. Or, we input a low-amplitude signal at the input of an amplifier and out comes the amplified signal. There is also another role for the ports, and that is as the locus of connection to other devices for the purpose of creating additional devices. We can cascade two amplifiers-connecting the output of the first amplifier to the input of the second amplifier-to produce an amplifier of higher amplification factor. In many devices it happens that the “input-output” and “locus-ofconnection” roles go together naturally. However, this, in general, is not the case. For example, when we build a lamp circuit by connecting a bulb with a voltage source and a switch, the input port for invocation of the function is the switch, and the output port is not electrical at all, but spatial, i.e., the immediate region around the bulb. On the other hand, the device as a whole is composed of parts (switch, battery, bulb) that are connected together at various connection ports. These parts are themselves not devices, i.e., they cannot be defined independent of the circuit as possessing a behavior, let alone a function, unlike the individual amplifiers in the cascaded amplifier example. In the case of the cascaded amplifier, we can trace the behavior of the device by tracing the flow of some entity-in this case, the signal-from the input to the output of each component. In the case of the circuit, however, we do not explain the function by starting from the positive terminal of the battery and tracing the flow of electricity through each of the resistors and connecting wires. If there is a break in the

136

B. CHANDRASEKARAN

circuit, we don’t say, “. ., electricity starts at the positive terminal, moves across the two resistors, and then, oops, it can’t go any further because of the break.” The reason we don’t do this is that electricity is not modeled as flowing unless the circuit is complete. Once it is complete, we can model current as flowing through each of the parts. The interpretation of component ports as places for connections to produce a device is separated from their interpretation as places for delivering or invoking functions. In the case of the lamp circuit, the circuit as a whole can be composed with other components to make a new device. For example, the light from the lamp circuit may be detected by a photodiode in another circuit that might activate a switch. In this case, the input-output for the lamp circuit, viewed as a signal flow, would be the switch and the region around the bulb. The locus of connection is the region around the bulb as well, since the photodiode is positioned there. The output of the device as a whole is the output of the diode circuit, within which presumably a switch is activated. On the other hand, each of the circuits have components and loci of connections that are quite different from the ports in the signal flow perspective. We need to formalize the representation of components, ports, and devices so that the more general sense of devices is captured, or at least the formalization supports the distinctions that I have just described. viii. Functions that involve time. We have discussed examples where the predicates have to satisfy certain time relations, such as the To-Ma in t a in function, which is defined in terms of certain predicates being always true. We also discussed dynamic state abstractions in which a repeating sequence of states was defined as a new state at a higher level of abstraction, say “oscillating.” But we have not discussed examples where the predicates involve specific quantitative temporal relations between the state variables. For example, the function of a sawtooth generator is to generate output over time with specified relations over the values at different times. We need to exercise the FR framework in devices of this type. Further, the work of Rieger and Grinberg (1978) in identifying different types of temporal constraints in transitions needs to be integrated with the FR work. ix. Multiple and redundant causal paths in CPD. There are devices in which a function is achieved by different parallel processes, providing redundancy. There are several versions of this type of parallelism. In one, the function is a quantitative one, e.g., so many units of x are to be produced with a number of different causal processes, using different subsystems, each contributing some amount to the functional requirement. In a second, somewhat similar version of this parellelism, if any of the processes fail, the remaining ones pick up the slack. This requires interesting feedback. Such mechanisms are common in biology.


137

6.2 Logic of Understanding To what degree do computer programs that contain functional representations of devices and make use of them to solve problems really understand the devices they are reasoning about? Whether symbolic representations of this type alone can give computers understanding, even when they perform reasoning feats that correspond to human reasoning, is currently a topic of heated philosophical debate in circles concerned with the foundations of A1 and cognitive science. The minimal claim I would like to make is that the FR framework is an attempt to capture the logical structure of the understanding of certain types of causal processes in the world. The FR displays the elements that participate in the causal process, and highlights relationships between them which the understander believes exist. As the work I have described demonstrates, possession of the logical properties enables the representation to be the basis for many different problem-solving activities.

6.3 Rich Variety of Reasoning Phenomena I have surveyed a body of work built up over the last decade on reasoning about artifacts, about their functions, and about their causal processes, which also underlie the functions. The work is based on the assumption that there is a continuity between reasoning in commonsense domains and technical fields, that ordinary people and technical experts share ontologies and cognitive organizing principles for the generic task of modeling the world as a causal phenomenon, predicting behavior, and synthesizing artifacts. I have emphasized that the real power of intelligent behavior arises from the agent’s ability to organize reasoning and computational resources in a goal-directed way, and the qualitativeness of reasoning is just one aspect of it. FR investigates issues about how causal knowledge is indexed and packaged functionally. I have also indicated how the work reported is complementary to work on qualitative device models. Together they provide an integration of top-down and bottom-up reasoning techniques for efficient goal-directed reasoning. The research area is rich in topics for further expansion and exploitation. The FR framework is just one part of a larger framework that was hinted at in Section 2, one in which reasoning, action, and perception are seen as forming an integrated whole. A1 has been too closely associated with just a “reasoning” paradigm. The process of achieving goals in the physical world is an area of research that can serve as a great arena for developing an integrated A1 perspective.

138

B. CHANDRASEKARAN

ACKNOWLEDGMENTS I would like to acknowledge the contributions of my colleagues and collaborators in FR research over the years, V. Sembugamoorthy, Jon Sticklen, Jack Smith, William Bond, Ashok Goel, Dean Allemang, Anne Keuneke, Lindley Darden, John Josephson, Mike Weintraub, Kathy Johnson, Matt DeJongh, Sunil Thadani, Yumi Iwasaki, Marcos Vescovi, and Richard Fikes. I would like to thank Ashok Goel, Sunil Thadani, Dean Allemang, and Marshall Yovits for reading a draft of this paper and providing a number of useful suggestions for improvement. The research reported here has been supported over the years by DARPA (contract F30602-85C-0010, monitored by Rome Air Development Center, and contract F-49620-89-C-0110 monitored by Air Force Office of Scientific Research), Air Force Office of Scientific Research (grant 89-OZSO), McDonnell Douglas, and BP America.

References Abu-Hanna, A., Benjamins, V. R., and Jansweijer, W. N. H. (1991). Device understanding and modeling for diagnosis. IEEE Expert 6, No. 2, 26-32. Allemang. D. (1990). Understanding Programs as Devices. Ph.D. thesis, Ohio State University. Allemang. D. (1991). Using functional models in automatic debugging. IEEE Expert 6, No. 6, 13-18.

Allemang, D. and Chandrasekaran, B. (1991). Functional representation and program debugging. In Proceedings of the 6th Kno wledge-Based Software Engineering Conference, IEEE Computer Society Press, pp. 136-52. Allemang, D. and Keuneke, A. (1988). Understanding Devices: Representing Dynamic States. Columbus, Ohio: Laboratory for A1 Research, Ohio State University, Technical Report 88-AKDYNSTATES. Bhatta, S. and Goel, A. (1993). Learning Generic Mechanisms from Experiences for Analogical Reasoning. In Proceedings of the FifreenthAnnual Conference of the Cognitive Science Society, Boulder, Colorado. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 237-42. Bonnet, Jean-Charles (1991). Functional Representations: a Support for Enriched Reasoning Capabilities. Stanford University, Knowledge Systems Laboratory, Technical Report KSL 91-58.

Bonnet, Jean-Charles (1992). Towards a Formal Representation of Device Functionality. Stanford University, Knowledge Systems Laboratory, Technical Report KSL 92-54, 1992. Borchardt, G. C. (1993). Causal Reconstruction. Massachusetts Institute of Technology, A1 Lab, Memo 1403. Bradshaw, J. A. and Young, R. M. (1991). Evaluating design using knowledge of purpose and knowledge structure. IEEE Expert 6, No. 2, 33-40. Brajnik, G., Chittaro, L., Tasso, C., and Toppano, E. (1991). Representation and use of teleological knowledge in the multi-modeling approach. Trends in Artifcia1 Intelligence, E. Ardizzone, S . Gaglio, and F. Sorbello (eds.). Berlin: Springer Verlag, pp. 167-76. Brand, M., Birnbaum, L., and Cooper, P. (1992). Seeing is believing: Why vision needs semantics. In Proceedings of the Fourteenth Meeting of the Cognitive Science Society. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 720-5. Bylander, T. (1988). A critique of qualitative simulation from a consolidation viewpoint. IEEE Trans. Systems, Man and Cybernetics 18, No. 2, 252-63. Bylander, T. (1990). Some causal models are deeper than others. Artificial Intefligence in Medicine 2(3), 123-8.


139

Chandrasekaran, B. and Mittal, S. (1983). Deep versus compiled knowledge approaches to diagnostic problem solving. Int. J. Man-Machine Studies 19(5), 425-36. Chandrasekaran, B., Smith, J. W. Jr., and Sticklen, J. (1989). ‘Deep’ Models and their relation to diagnosis. Artificial Intelligence in Medicine 1, No. 1 , 29-40. Chandrasekaran, B. (1990). Design problem solving: A task analysis. A1 Muguzine 11, No. 4, pp. 57-71. Chandrasekaran, B. and Narayanan, H. R. (1990). Integrating imagery and visual representations. In Proceedings of the 12th Annual Conference of the Cognitive Science Society, Boston, MA. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 670-8. Chandrasekaran, B. (1991). Models vs rules, deep versus compiled, content versus form: Some distinctions in knowledge systems research. IEEE Expert 6 , No. 2, 75-9. Chandrasekaran, B. (1992). QP is more than SPQR and dynamical systems theory: Response to Sacks and Doyle. Computational Intelligence 8(2), 216-22. Chandrasekaran, B., Goel, A., and Iwasaki, Y. (1993). Functional representation as design rationale. IEEE Computer, Special Issue on Concurrent Engineering, 48-56. Chapman, D. (1990). Vision, Instruction and Action. MIT A1 Lab, Cambridge, MA. Chittaro, L., Tasso, C., and Toppano, E. (1993a). Putting functional knowledge on firmer ground. Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence-93 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 23-30. Chittaro, L., Guida, G., Tasso, C., and Toppano, E. (1993b). Functional and teleological knowledge in the multi-modeling approach for reasoning about physical systems: a case study in diagnosis. IEEE Transactions on Systems, Man and Cybernetics (to appear). Craik, K. (1967). The Nature of Explanation. Cambridge University Press, Cambridge, UK and New York, NY. Darden, L. (1990). Diagnosing and fixing faults in theories. Computational Models of Scientific Discovery and Theory Formation. J. Shrager and P. Langley (eds.). Hillsdale, NJ: Lawrence Erlbaum, pp. 319-46. Darden, L. (1991). Theory Change in Science, Strategies from Mendelian Genetics. Oxford University Press, Oxford. Darden, L. (1992). Strategies for Anomaly Resolution. In Cognitive Models of Science, Giere, L..(ed.), Minnesota Studies in the Philosophy of Science, Vol. 15. Minneapolis: University of Minnesota Press, pp. 251-73. Davis, R. (1984). Diagnostic reasoning based on structure and function. Artificial Intelligence 24, 347-410. DeJongh, M. (1991). Integrating the Use of Device Models with Abductive Problem Solving, Ph.D thesis, Department of Computer and Information Science, Ohio State University. de Kleer, J . (1985). How circuits work. In Qualitative Rasoning about Physical Systems, D. G. Bobrow, MIT Press. de Kleer, J. and Brown J. S. (1983). Assumptions and ambiguities in mechanistic mental models. In Mental Models, D. Gentner and A. Stevens (eds.). Hillsdale, NJ: Lawrence Erlbaum, pp. 155-90. de Kleer, J . and Brown, J. S. (1984). A qualitative physics based on confluences. Artificial Intelligence 24, 7-83. Di Manzo, M., Trucco, E., Giunchiglia, F., and Ricci, F. (1989). FUR: Understanding functional reasoning. Int. J. Intelligent Systems 4, 431 -57. Doyle, R. J. (1988). Hypothesizing Device Mechanisms: Opening up the Black Box. Ph.D. dissertation AI-TR 107, MIT Artificial Intelligence Laboratory. Faltings, B. (1992). A symbolic approach to qualitative kinematics. Artificial Intelligence 56, NO. 2-3. 139-70.

140

B. CHANDRASEKARAN

Fikes, R., Gruber, T., Iwasaki, Y., Levy, A., and Nayak, P. (1991). How Things Work Project Overview. Stanford Univeresity, Knowledge Systems Laboratory, Technical Report KSO 91-70, 1991. Fink, P. K. and Lusth, J. C. (1987). Expert systems and diagnostic expertise in the mechanical and electrical domains. IEEE Trans. Systems, Man and Cybernetics SMC-17(3), 340-9. Forbus, K. D. (1984). Qualitative process theory. Artifcial Intelligence 24, 85-168. Forbus, K. D. (1988). Qualitative Physics: Past, Present and Future. In Exploring Arti$cial Intelligence, H. Shrobe (Ed.). San Mateo, CA: Morgan Kauffman, pp. 239-96. Franke, D. W. (1991). Deriving and using descriptions of purpose. IEEE Expert 6, No. 2, 41-7. Freeman, P. and Newell, A. (1971). A model for functional reasoning in design. In Proceedings of the Second International Conference on Artvicial Intelligence (IJCAI-71). London, England. Gero, J. S., Tham, K. W. and Lee, H. S. (1992). Behaviour: a link between function and structure in design. Intelligent Computer Aided Design. D. Brown, M. Waldron and H. Yoshikawa (eds.). Amsterdam, Netherlands: North-Holland, pp. 193-225. Goel, A. K. (1989). Integration of Case-Based Reasoning and Model-Based Reasoning for Adaptive Design Problem Solving. Ph.D. thesis, Ohio State University, Laboratory for Artificial Intelligence Research. Goel, A. K. and Chandrasekaran, B. (1989). Functional representation of designs and redesign problem solving. In Proceedings of the Eleventh International Joint Conference on Artificial Intelligence, Detroit, Michigan, August 20-25, 1989, Los Altos, CA: Morgan Kaufmann, pp. 1388-94. Goel, A. K. (1991a). A model-based approach to case adaptation. In Proceedings of the Thirteenth Annual Conference of the Cognitive Science Society, Chicago, August 7-10, 1991, Hillsdale, NJ: Lawrence Erlbaum, pp. 143-8. Goel, A. K. (1991b). Model revision: A theory of incremental model learning. In Proceedings of the Eighth International Workshop on Machine Learning, Chicago, June 27-29, 1991. Los Altos, CA: Morgan Kaufmann, pp. 605-9. Goel, A. K. (1992). Representation of design functions in experience-based design. In Intelligent Computer-Aided Design, D. Brown, M. Waldron and H. Yoshikawa (eds.). Amsterdam, Netherlands: North-Holland, pp. 283-308. Goel, A. K. and Chandrasekaran, B. (1992). Case-based design: A task analysis. In Artificial Intelligence Approaches to Engineering Design, Volume II:, Innovative Design, C. Tong and D. Sriram (eds.). San Diego: Academic Press, pp. 165-84. Hayes, P. (1979). The naive physics manifesto. In Expert Systems in the Micro-Electronic Age, D. Mitchie (ed.). Edinburgh: Edinburgh University Press, pp. 242-70. Hodges, J. (1992). Naive mechanics: A computational model of device use and function in design improvisation. IEEE Expert 7, No. 1, 14-27. Hunt, J. E. and Price C. J. (1993). Integrating functional models and structural domain models for diagnostic applications. In Second Generation Expert systems, J. M. David, J. P. Krivine and R. Simmons (eds.). New York: Springer-Verlag. pp. 131-60. Iwasaki, Y. and Chandrasekaran, B. (1992). Design verification through function- and behavior-oriented representations: Bridging the gap between function and behavior. Artifcial Intelligence in Design '92, John S. Gero (ed.). Kluwer Academic Publishers, pp. 597-616. Iwasaki, Y., Fikes, R., Vescovi, M., and Chandrasekaran, B. (1993). How things are intended to work: Capturing functional knowledge in device design. In Proceedings of the 13th International Joint Conference of Artificial Intelligence, San Mateo, CA: Morgan Kaufmann, pp. 1516-22.


141

Johnson, W. L. (1986). Intention-based diagnosis of novice programming errors. Research Notes in Artificial Intelligence, Los Altos, CA: Morgan Kaufmann. Johnson, K. P. (1993). Exploiting a Functional Model of Problem Solving for Error Detection in Tutoring. Ph.D thesis, Department of Computer and Information Science, Ohio State University. Jordan, D. S. (1991). The Role of Physical Properties in Understanding the Functionality of Objects, Ph.D thesis, Stanford University. Josephson, J. R. (1993). The Functional Representation Language FR as a Family of Data Types. The Ohio State University, Laboratory for Artificial Intelligence Research, Columbus, OH, Tech Report. Kaindl, H. (1993). Distinguishing between functional and behavioral models. In Reasoning About Function. Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 50-2. Keuneke, A. and Allemang, D. (1988). Understanding devices: Representing dynamic states. Technical Report, Ohio State University, Laboratory for Artificial Intelligence Research. Keuneke, A. (1989). Machine Understanding of Devices: Causal Explanation of Diagnostic Conclusions. Ph.D thesis, Ohio State University. Keuneke, A. and Allemang, D. (1989). Exploring the "No-Function-In-Structure" principle. Journal of Experimental and Theoretical Artificial Intelligence 1, 19-89. Keuneke, A. (1991). Device representation: The significance of functional knowledge. IEEE Expert 6 , No. 2, 22-5. Kuipers, B. (1986). Qualitative simulation. Artificial Intelligence 29, 289-388. Laird, J. E., Newell, A., and Rosenbloom, P. S. (1987). SOAR: An architecture for general intelligence. Artificial Intelligence 33, 1-64. Levi, K. R., Moberg, D., Miller, C. A., and Rose, F. (1993). Multilevel causal process modeling: Bridging the plan, execution, and device implementation gaps. In Proceedings of the 1993 Conference on Applications of AI: Knowledge-Based Systems in Aerospace and Industry, Orlando, FL, Bellingham, WA: SPIE-The International Society for Optical Engineering, pp. 240-50. Lind, M. (1990). Representing Goals and Functions of Complex Systems-An Introduction to Multilevel Flow Modeling. Technical Report, Institute of Automatic Control Systems, Technical University of Denmark, Lyngby, Denmark. Liver, B. (1993). Working around faulty communication procedures using functional models. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program, pp. 95-101. Low, C. M. and Iwasaki, Y. (1993). Device modeling environment: an interactive environment for modeling device behavior. Intelligent Systems Engineering 1, No. 2, 115-45. Malin, J. T. and Leifker, D. B. (1991). Functional modeling with goal-oriented activities for analysis of effect and failures on functions and operations, Telematics and Informatics 8, (4),353-64. Moberg, D. and Josephson, J. (1990). Diagnosing and fixing faults in theories, Appendix A: An implementation note. In Computational Models of Scientific Discovery and Theory Formation, J. Shrager and P. Langley (eds.). San Mateo, California: Morgan Kaufmann, pp. 341-53. Murray, W. R. (1988). Automatic program 2ruugging for intelligent tutoring systems. Research Notes in Artificial Intelligence, Los Altos, CA: Morgan Kaufmann. Narayanan, Hari N. and Chandrasekaran, B. (1991). Reasoning visually about spatial interactions. In Proceedings of the 12th International Joint Conference on Artificial Intelligence, Sydney, Australia, August 1991, Mountain View, CA: Morgan Kaufmann, pp. 360-5.

142

6.CHANDRASEKARAN

Patil, R. S., Szolovits, P., and Schwartz, W. B. (1981). Causal understanding of patient illness in medical diagnosis. In Seventh International Joint Conference on Artificial Intelligence, Vancouver, British Columbia, pp. 893-9. Pearl, J. (1986). Fusion, propagation, and structuring in belief networks. Artificial Intelligence 29, NO. 3, 241-88. Pearl, J. and Verma, T. S. (1991). A theory of inferred causation. In Proceedings of the International Conference on Knowledge Representation. Pegah, M., Sticklen, J., and Bond, W. (1993). Functional representation and reasoning about the F/A-18 aircraft fuel system. IEEE Expert 8, No. 2, 65-71. Pittges, J., Eiselt, K., Goel, A. K., Garza, A. G. S., Mahesh, K., and Peterson, J. (1993). Representation and use of function in natural language understanding. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 1 14-20. Prabhakar, S. and Goel, A. K. (1992). Integrating case-based and model-based reasoning for creative design: Constraint discovery, model revision and case composition. In Proceedings of the Second International Conference on Computational Models of Creative Design, Heron Island, Australia. December 1992. Kluwer Academic Press. Rieger, C. and Grinberg, M. (1978). A system of cause-effect representation and simulation for computer-aided design. In Artificial Intelligence and Pattern Recognition in ComputerAided Design, Latombe (ed.). North Holland, pp. 299-333. Rivlin, E., Rosenfeld, A., and Perlis, D. (1993). Recognition of object functionality in goal-directed robotics. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 126-30. Sacks, Elisha P. and Doyle, Jon (1992). Prolegomena to any future qualitative physics. Computational Intelligence (Blackwell) 8, No. 2, 187-209. Sembugamoorthy, V. and Chandrasekaran, B. (1986). Functional Representation of Devices and Compilation of Diagnostic Problem-Solving Systems. In Experience, Memory, and Learning, J. Kolodner and C. Riesbeck (eds.). Lawrence Erlbaum Associates, pp. 47-73. Simon, H. A. (1991). Nonmonotonic Reasoning and Causation: Comment. Cognitive Science 15, NO. 2, 293-300. Stadlbauer, H. (1991). Functional skeletons: From specification to design. INFA-report, Institute for Flexible Automation, Technical University of Vienna, Austria. Stark, L. and Bowyer, K. W. (1991). Achieving generalized object recognition through reasoning about association of function to structure. IEEE Trans. Pattern Analysis and Machine intelligence, 13, 1097-1 104. Steels, L. (1989). Diagnosis with a function-fault model. Applied Artificial Intelligence Journal 3 , No. 2-3, 129-53. Sticklen, J. H. (1987). MDX2, an integrated medical diagnostic system, Ph.D. dissertation, Ohio State University. Sticklen, J. and Chandrasekaran, B. (1989). Integrating classification-based compiled level reasoning with function-based deep level reasoning. Applied Artificial Intelligence 3, NO. 2-3, 275-304. Sticklen, J., Chandrasekaran, B., and Bond, W. E. (1989). Distributed causal reasoning. Knowledge Acquisition 1, 139-62. Sticklen, J., Kamel, A. and Bond, W. E. (1991). Integrating Quantitative and Qualitative Computations in a Functional Framework. Engineering Applications of Artificial Intelligence 4(1), 1-10.

FUNCTIONAL REPRESENTATIONAND CAUSAL PROCESSES

143

Sticklen, J. and Tufankji, R. (1992). Utilizing a functional approach for modeling biological systems. Mathematical and Computer Modeling 16, 145-60. Sticklen, J., McDowell, J. K., Hawkins, R., Hill, T., and Boyer, R. (1993). Troubleshooting based on a functional device representation: diagnosing faults in the external active thermal control system of space station FREEDOM. In SPIE Applications of Artificial Intelligence XI: Knowledge-based Systems in Aerospace and Industry, U. Fayad (ed.). Orlando, FL, SPIE. Stroulia, E., Shankar, M., Goel, A. K., and Penberthy, L. (1992). A model-based approach to blame assignment in design. In Proceedings of the Second International Conference on AI in Design., Kluwer Academic Press, pp. 519-38. Stroulia, E. and Goel, A. K. (1992). Generic teleological mechanisms and their use in case adaptation. In Proceedings of the Fourteenth Annual Conference of the Cognitive Science Society. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 319-24. Stroulia, E. and Goel, A. K. (1993). Using functional models of problem solving to learn from failure. Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 157-63. Sun, J. and Sticklen, J. (1990). Steps toward tractable envisionment via a functional approach. In The Second AAAI Workshop on Model-Based Reasoning, American Association for Artificial Intelligence, Boston, pp. 50-5. Sycara, K. and Navinchandra, D. (1989). Integrating case-based reasoning and qualitative reasoning in engineering design. In ArtificiolIntelligencein Engineering Design, J. Gero (ed.). Southampton, UK: Computational Mechanics Publications, and Heidelberg, Germany: Springer Verlag, pp. 232-50. Thadani, S. (1994). Constructing functional models of a device from its structural description. Ph.D thesis, Department of Computer and Information Science, The Ohio State University. Thadani, S. and Chandrasekaran, B. (1993). Structure-to-Function Reasoning. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence 1993 Workshop Program, pp. 164-71. Toth, S. (1993). Using Functional Representation for Smart Simulation of Devices, Ph.D thesis, Department of Computer and Information Science, The Ohio State University. Ulrich, K. T. and Seering, W. P. (1988) Function sharing in mechanical design. In Proceedings of AAAI-88, American Association for Artificial Intelligence, pp. 450-4. Umeda, Y., Takeda, H., Tomiyama, T., and Yoshikawa, H. (1990). Function, behavior and structure. Applications of Artificial Intelligence in Engineering V, Vol. I : Design, Computational Mechanics Publications, Southampton, pp. 177-93. Vescovi, M., Iwasaki, Y., Fikes, R., and Chandrasekaran, B. (1993). CFRL: A language for specifying the causal functionality of engineered devices. In Proceedings of the Eleventh National Conference on AI, American Association for Artificial Intelligence, AAAI Press/MIT Press, pp. 626-33. Weintraub, M. A. (1991). An Explanation-Based Approach to Assigning Credit, Ph.D. dissertation, The Ohio State University, Department of Computer and Information Science, Columbus, OH. Weiss, S., Kulikowski, C., and Amarel, S. (1978). A model-based method for computer-aided medical decision-making. Artificial Intelligence 11, 145-72. Welch, R. V. and Dixon, J. R. (1992). Representing function, behavior and structure during conceptual design. In Design Theory and Methodology DTM'92, D. L. Taylor and L. A. Stauffer (eds.). American Society of Mechanical Engineers, pp. 11-18. Weld, D. (1986). The use of aggregation in causal simulation. Artijicial Intel/igence30(1),1-34.


Computer-Based Medical Systems JOHN M . LONG' Department of Surgery University of Minnesota Minneapolis. Minnesota

1 . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . Automation and the Healing Arts: The Changing World of Medicine in the Information Age . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 TheIssues . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Information Age Medicine . . . . . . . . . . . . . . . . . . . 2.3 The Nature of Medical Computing . . . . . . . . . . . . . . . 3 . Special Issues in Medical Computing . . . . . . . . . . . . . . . . . 3.1 Legal and Ethical Issues . . . . . . . . . . . . . . . . . . . . 3.2 Validation, Regulation, and Standardization: A Dilemma . . . . . . 4 . A Review of Computer-Based Medical Systems . . . . . . . . . . . . 4.1 Automated Medical Records Systems: Problems and Opportunities . 4.2 Clinical Assessment and Risk Evaluation . . . . . . . . . . . . . 4.3 Imaging Systems . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . 5 . Artificial Intelligence in Medicine . . . . . . . . . . . . . . . . . . . 5.1 Expert Systems . . . . . . . . . . . . . . . . . . . . . . . . 6 . Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . 6.1 A Brief Look Toward the Future . . . . . . . . . . . . . . . . 6.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . General . . . . . . . . . . . . . . . . . . . . . . . . . . . B. Validation. Regulation. and Standardization . . . . . . . . . . . C . Automated Medical Records Systems . . . . . . . . . . . . . . D . Clinical Assessment and Risk Evaluation . . . . . . . . . . . . . E . Artificial Intelligence and Neural Networks . . . . . . . . . . . . F . Imaging Systems . . . . . . . . . . . . . . . . . . . . . . . 0. Medical Devices . . . . . . . . . . . . . . . . . . . . . . . .

. . . 145

. . . . . . . . .

. . . . . .

. . . . . .

. . . . . . . . . .

. . . .

. . . .

. . . . . . . . . . . .

. . . . . .

. . . . . . . .

. . . . .

. . . . .

147 147 149 155 158 158 159 161 161 162 163 164 165 166 177 177 179 180 180 181 183 183 187 190 191

1. Overview The notion of computer-based medical systems embraces the full range of computer systems-both hardware and software-that are designed and

' Current address: 2676 Manson Pike. Murfreesboro. Tennessee . ADVANCES IN COMPUTERS. VOL . 38

145

.

Copyright 0 1994 by Academic Press Inc . All rights o f reproduction in any form reserved . ISBN 0-12-012138-7

146

JOHN M. LONG

built for use in a medical environment. These include embedded computers (hardware and software) found in medical devices. Systems used in conjunction with patient care are emphasized. This article is concerned with the process of engineering, inventing, designing, developing, and implementing computer-based medical systems. Manufacturers of both hardware- and software-based systems face special commercialization challenges. Regulatory agencies throughout the world are developing new ways to monitor product safety, but few standards exist for the embedded software in medical products. In addition to the software that comes with a device, regulatory agencies are also concerned with all the software used in creating medical devices, including production-equipment software and automated test equipment software. It is incumbent on engineers to demonstrate that all medical software is developed and validated under established practices. There is a special group of software-based systems characterized by processing ability. These range from health information systems to database managers. A major role is to support knowledge management. Patient care can no longer depend solely on the memorized knowledge of the individual doctor. Virtually all recent medical knowledge and literature in Index Medicus has been automated by the National Library of Medicine and is now available to doctors at their office terminals. Artificial intelligence techniques are needed to assimilate the huge volume of information cataloged in these computer systems. A whole new discipline, variously called medical informatics, medical computing, or computational medicine, is evolving (Shortliffe et al., 1990). Individual patient data have also become more accessible and manageable through the use of computer-based medical systems. Computers are now used in hospitals to track patients, to process and disseminate test results, to ensure that the appropriate medication is used, to apply for insurance reimbursement, and to record patient outcomes as a quality-ofcare metric. Similar applications are appearing in doctors’ offices (Oberst and Long, 1987). The overriding issues here are those of regulation, validity, and reliability. Intertwined with these issues are moral and ethical concerns. As already mentioned these systems are sometimes based on hardware, sometimes on software, and often on some combination of both. The overall organization of the chapter falls into several broad categories. The next two sections deal with issues that are a direct consequence of the use of computers and automation in medicine. This is followed by a discussion of the ways in which computers are becoming a part of clinical practice. A general overview of applications of artificial intelligence in

COMPUTER-BASED MEDICAL SYSTEMS

147

computer-based medical systems comes next. A few general remarks bring this discussion to a conclusion. An important part of this chapter are the references listed in the Reference Sections A through G. It has been ten years since a paper devoted to a medical topic has appeared in Advances in Computers (O’Kane, 1983). Several earlier articles related to the field of medicine have appeared. An early chapter on biomedical pattern recognition was written by a pioneer in the field (Ledley, 1966). Alan Westin discussed problems related to computers and privacy, problems that continue to be a vital issue in medicine (Westin, 1973). More recently, Kent Norman discussed models of information flow and control between humans and computers with medical overtones (Norman, 1988).

2. Automation and the Healing Arts: The Changing World of Medicine in the Information Age 2.1 The Issues Very dramatic changes are taking place, brought on by computers and automation, especially in the more technologically advanced segments of our society. The world of medicine is not immune. Indeed these unrelenting changes are infiltrating medicine in a far more pervasive way than even those closest to medicine, the doctors, seem to realize. Here are some of the fundamental aspects of medical practice that are being challenged: Control. Who controls the practice of medicine? Traditionally, and in most areas of the world, legal control resides with the medical doctor. As we shall see, computer-based medical systems create environments that seriously challenge the doctor’s ability to retain control. It seems almost inevitable that at least some of this control will be lost. Regulation. In addition to the professional controls, the health care industry is also closely regulated by the government. There are regulations on medical devices, drugs, licensing of various levels of health professionals, and other areas as well. The current system of regulations is being challenged in fundamental ways by computers and automation. This is illustrated by efforts of the United States Food and Drug Administration (FDA) to regulate certain types of computer-based medical systems, even though the concept of regulating computer software is quite foreign to the original purpose of the FDA.

148

JOHN M. LONG

Art versus science. Both the art and the science of medicine are important. The essential role of both aspects of this spectrum is challenged by computer-based medical systems. During most of this century, medicine has been continuously moving more and more toward the science end of the art-versus-science spectrum. The role of such human qualities as compassion is constantly being challenged by new technology and science. Computers and automation introduce an interesting element in this equation because it expands it in both directions, or at least has the potential to do so. Automation is extending the technical and scientific aspects of medicine far beyond what anyone might have expected a few years ago. At the same time, it also opens up the way to vast improvements in the art, the human qualities, of medicine. It seems ironic and, to some, even inconceivable, that computers and automation can expand the compassionate aspects of medicine. The creative use of computers allows the technical and scientific aspects to become more invisible to the patient and allow the human qualities to be more visible. Further, human-like qualities can be programmed into these systems using artificial intelligence technology. Dignity and privacy. Computers and automation challenge individual privacy in many new ways. It is true that this problem goes far beyond the field of medicine, but medical information certainly represents some of the most sensitive information collected about individuals. Such data are far more vulnerable when stored in databases and on personal medical record cards (Long et al., 1987). Respect for personal human dignity is challenged when privacy is challenged. However, the challenge of computers and automation to our ability to respect human dignity goes beyond the invasion of privacy. Computer-based medical systems allow us to artificially extend life in forms or states that many consider degrading or unfeasible or inhumane. They allow us to reduce human dignity with gadgetry. Costs. Medical high tech devices, based mainly in computer technology, are increasing the cost of medical care. At the same time, computers make it possible to micromanage medical costs. The implications of these two trends are great. Here is one example. Computers and automation challenge the long-established practice of concealing the cost of some clinical teaching and research in the clinical charges billed the patient and, ultimately, medical insurers and the government. For years, federal accountants, health insurance companies, and others have attempted with limited success to find ways of measuring and disallowing such charges. Computers and automation are finally allowing them to succeed.


149

Clinical research. Not all the challenges to medicine brought on by automation are disruptive or harmful. Indeed, there are many truly exciting new possibilities. Among the most revolutionary are the new ways of perceiving of and conducting clinical research, ways that can ameliorate or eliminate many of the problems currently facing medical research, including those related to informed consent, privacy, and animal usage. These new ways are intricately associated with the standardization and automation of medical records (Long, 1986). The potential synergism between standardized and automated medical records and clinical practice, like that between teaching and research, represents a major beneficial outcome of information age medicine. Some may challenge whether or not any (or all) of these fundamental changes are really happening, or whether they can or will occur. And some of those who have seen these trends may not believe that computer-based medical systems are the fundamental causative factor here. If computers are not the cause, they most certainly are enablers. The process can be slowed down or speeded up and, of course, false and/or wrong starts (wrong technically, wrong legally, wrong morally, wrong ethically) have, can, and will occur. Computers and automation are either causing or facilitating the information age revolution in medicine, and there appears to be virtually nothing that will stop it. Twenty or fifty years from now, in places where the best medicine is practiced, that practice is more likely to look like “Star Trek” than today’s modern medicine.

2.2 2.2.1

Information Age Medicine

The Airline Analogy

We hear our emerging computer-based society referred to more and more frequently as the “information age,” usually in comparison to the earlier “industrial age.” It is not always clear just exactly what is meant by the term “information age.” As used here, it can best be explained by an analogy, by looking at what has happened in those segments of the airline industry that have already moved into the information age. Let’s focus on the airline reservation system for a moment. The following is not historically correct in every detail but we will use it to make a point and to provide insights. The initial motivation for automating airline reservations was to bring order and continuity into the system. Computers were used to automate the files representing seat spaces on flights in such a way that the file of spaces available shrunk as tickets were sold. Spaces were maintained in a central computer and sold and reserved from any

150

JOHN M. LONG

destination in the airline’s system using a communications network. The initial problem was solved! It is interesting to note that the solution required a merger of communications and computers, a merger that is essential for virtually all information age systems. Things did not stop there. Once the original problem was solved, an interesting form of synergism began to occur. Here are some of the events that ensued. The computer terminals, used initially at airline ticket counters to reserve and sell spaces, were next placed at many other convenient locations beneficial to the airline and the public, places like central reservation centers and travel agencies. Devices were added that automatically printed tickets, eliminating the need to write out tickets and making them more legible. The “seat space” .file in the computer was expanded to include the name of the person who bought the space. Later it was further expanded to include the specific location of the space on the aircraft (seat selection). Another level of synergism was created as these expanded features were added to the system. Passenger lists could now be generated automatically. The entire airline’s flight schedule was stored in the computer as well as being on-line, providing an easy reference for many uses not originally anticipated. The schedules of other airlines were merged into a single file, providing a complete on-line schedule of all airlines. These impressive achievements do not yet meet this paper’s definition of an information age system. Somewhere along the way, airlines began to realize that the data captured by the reservation system had much more potential. Each airline began to exploit these data in order to improve and personalize their services and to gain business advantages over competitors. Reservation systems became a tool for achieving strategic advantage. By controlling the schedules of all airlines in the on-line listings, an airline that maintained these listings could, and, in various subtle and not so subtle ways, did direct business to themselves. The advantages were so effective that government regulations were established to provide control. One estimate points to a 10% to 15% advantage for the airline maintaining the reservation system that still exists in spite of these regulations. Schedules were improved. By having its entire schedule in an on-line display and available for sophisticated mathematical modeling, the plan became more comprehensible, allowing deeper insights and a more comprehensive analysis regarding the proper timing and destinations of flights from any given point in the system. Customer services were personalized. Individual customer profiles could be developed from the existing database, which held such data as seat preference, frequency of travel, and travel patterns.


151

Airlines are using the information automatically captured by its reservations system in conjunction with artificial intelligence technology to create and implement flexible strategies so as to more completely fill the seats on flights while minimizing the number of cheaper seats that have to be sold in order to accomplish this goal. For example, airlines continuously monitor the rate of seat sales and modify the mix of types of tickets made available to maximize the number and price of sold spaces. They also use the data and various automated strategies to decide the frequency, timing, and destination of flights, and to optimize aircraft usage. The process is continuing and the ultimate end of the synergism is not in sight. The possibilities seem to be limited only by the creativity of its users. Isn’t it interesting that the human creative process seems to be expanding as the automation process moves along. In many cases, business advantage, even survival, depends on such creative usages of information. These creative and synergistic uses of information by the airline industry illustrate our concept of the emerging information age.

2.2.2 Regulation and Control There are at least two separate issues in the control of medicine. First are the concerns about the individual’s ability to control his or her own health care. Second is deciding who is to control the practice of medicine. Neither of these issues are grounded in automation and computers, but computers and automation provide many more options regarding control than are available in the pre-information age. The designer and builder of computerbased medical systems has the potential to exercise a great deal of de facto control. Consider how the airline reservation system eventually became the critical element of an airline’s operations and survival. Legally, the doctor is in control of health care and responsible for its outcome. This is not likely to change, though de fucto control is already shared with a number of outside influences, many of which depend upon computer-based medical systems. In theory, all the aspects of medicine that cannot be directly controlled by doctors in their medical practices, such as medical devices and drugs, are regulated by the government. Computerbased systems, especially expert systems and other systems based on artificial intelligence, also challenge this current simplistic solution by confusing the traditional boundaries between medical practice and government regulation. Controlling a process would seem to involve a conceptual understanding of the process. It may be that, as computer-based medical systems become more complex, conceptual understanding of these systems will be beyond the capacity of any one individual. Indeed, that may be the case already.

152

JOHN M. LONG

Shared control/responsibility seems essential. For example, there really is no well-established way of certifying medical software. Experts, probably non-doctors, must examine the software to see if it is done well. The doctors who use such systems must ultimately rely on these other experts along with their own intuition and other highly subjective feelings to judge the value and meaning of the output of these computer-based medical systems. These factors are all part of the decision as to when and how to use that output in the diagnosis and treatment of a patient. Computer-based medical systems substantially increase the complications associated with medical regulations. In the United States, the FDA is the agency designated to protect the health and safety of the public. The traditional role of the FDA has been expanded to include medical devices, many of which now have embedded computers. These embedded computers are increasing in complexity and more and more often are programmable, that is, they include software as well as hardware. Furthermore, many computer-based medical systems that are basically software require FDA oversight. These software systems include medical expert systems that can select and implement patient protocols. The regulation of these systems requires approaches different than those established by the FDA for drugs. The FDA plan to regulate computer-based medical systems that do not directly interact with a patient goes something like this: If there is a clear division between the physician’s actions on behalf of a patient and the computer-based system, the designer/builder of the system is not “practicing medicine.” What this says is that in such systems the physician observes the output of the computer and then accepts or rejects its results in deciding how to treat the patient. Increasingly sophisticated computerbased medical systems will only further complicate regulation and control of medical practice in the information age. New structures are needed to manage and effectively use this medical information. This is especially true for expert systems. We discuss this issue more fully in Section 5.1.6. Some of the motivation for greater regulation and shared control of medical practice has been cost containment and has come from the wrong place (i.e., outside the profession). Interestingly enough, these controls rely almost entirely on computer-based information. They include control over how long a patient can be hospitalized, what procedures should be performed, and how many and what drugs are dispensed. In the minds of many, the synergistic potential of computer-based medical systems has, so far, focused on negative aspects, such as cost containment, when they should have been on positive issues, such as improved patient care. If properly managed, we can expect both improved care and cost containment to be the ultimate result. Computer-based medical systems can provide support for an expanded


153

role of paramedics in patient care. This includes, of course, nurses, physicians’ assistants, and other health-care providers. In addition, a whole new set of health professionals may appear, for example, “medical information specialists” who review, digest, and prepare input to the medical databases which support these new health care delivery systems. Such specialists must keep these systems current by incorporating new developments in medical research. They could also provide statistical analyses of the effectiveness of existing treatment protocols, examining, for example, the effectiveness of drugs and treatment regimens in terms of outcome, that is, what worked and in which subpopulations. The good news is that automation and computers could also help these specialists evaluate computer-based systems by tracking, in a fair amount of detail, the final results of using the system’s output. Ultimately, the system could comprehensively evaluate itself. This type of application is one example of the potential synergism one can expect from computer-based medical data in the information age. At the same time that computer-based medical systems are making inroads into medical practice and upsetting the traditional regulation and control mechanisms, these same systems are opening the way for individuals to exercise greater control over their own individual health care. Reasonably intelligent individuals have at their disposal enough information to be able to take care of an increasing number of their own health problems. This is especially true regarding well care or preventive care. An extensive library of information on virtually the entire current medical literature can now be retrieved on a home computer terminal.

2.2.3 Litigation We live in a litigious society. Medical practice has been a primary target. The effect has been to place limitations on medical practice. Litigation is one more force that is wresting control and authority from the doctors. It has raised costs that are already too high. It has also produced increases in insurance premiums, both to pay for what, at times, seems unreasonably high awards to litigants and to pay for extra procedures in day-to-day medical practice solely as a protection or defense against potential lawsuits. Hopefully, the political process will eventually eliminate or, at least, curtail the negative aspects of this trend. But whether or not this ever happens, information age medicine will change the character of the problem and could, indeed, solve certain aspects of the problem. Here are some of the ways. First, as we have already discussed, computers make it possible to contain and manage the vast volume of medical knowledge, making it more

154

JOHN M. LONG

accessible. It also makes it possible to maintain this knowledge in a more up-to-date manner. This knowledge base can be used to help establish acceptable standards of medical practice. It can be made available to all doctors in a timely manner and at a relatively low cost. This should reduce disagreements regarding “standard and acceptable” medical care. Second, enough information about an individual patient can be made readily available to allow the doctor to treat the patient from a position of knowledge. For example, technology already exists that allows a creditcard-sized medical record to contain a patient’s entire medical history, including photographs, ECGs, radiograms, and even cine angiograms (Long et al., 1987). Finally, the above two elements of information can interact in a broader context in a synergistic way if statistical methods are applied to continuously evaluate the vast amount of data being accumulated. These statistical analyses can provide ongoing updates t o the medical knowledge bases regarding the effectiveness of various protocols. They can even be used to discover new facts, for example, which medications interact, both for benefit and for harm, and on which patient subpopulations. These data can help define when and how t o use medication. Similarly, they can identify which treatment regimes or protocols work and under what conditions. In other words, these data can be accumulated as an integral part of clinical care and fed back into the system, thus closing the loop. Questions that can be formulated in a closed-loop system include: What is the best way of determining the health status of a patient? Which characteristics imply a certain condition of health, either wellness or illness? and Which actions or inactions are effective? The relevant point is that these information age knowledge bases, which either already exist or are entirely within the realm of the possible today, can provide enough information to resolve many current legal issues related to malpractice. We can know, or find out, how perfect or imperfect our system is. The ever-present risks of medical practice can be more accurately defined. Much of the guesswork can be replaced by predictable chance. One would hope that such predictable chance can thus be defined and known in advance of medical treatment. One might hope that this could eliminate much current litigation.

2.2.4 Structure The structure of medical care is already changing in subtle and not so subtle ways. Although it is not very likely that the doctor’s relative position at the top of the hierarchy is going t o change much, computer-based systems are employing and will increasingly employ complex knowledge bases and


155

decision logics which will have consequences that are difficult to fully predict. It is only a matter of time before such computer-based systems will make recommendations that the doctor will be unable to properly assess without extensive help external to himself/herself. It is easy to conceive of such a system recommending a best solution that the doctor will not be able to recognize as such, possibly rejecting it. In areas outside medicine, such solutions that go counter to “common knowledge” have already occurred. The traditional structure of medical practice is evolving toward the use of a team approach. The doctor will remain as leader with control and authority shared with other team members. At least two team member types that do not now exist can be identified. One is the new kind of medical information specialist we have already described, and the other a computerized medical records specialist. The latter’s role will be expanded as s/he becomes an active team member as opposed to the essentially passive role of medical records people today. In summary, the apparent structure of medical practice may not change that much, but the de fucto structure is changing and will continue to change. Computer-based medical systems, the systems that are ushering in the information age of medicine, can be helpful or harmful; moral, amoral, or immoral; humanizing or dehumanizing; disruptive or unifying-it all depends on whether or not we use them properly. Computer-based medical systems must be viewed as strategic instruments for managing and assimilating the vast arena of medical knowledge so that this knowledge can be effectively applied to the treatment of illness and the maintenance of wellness. These same knowledge bases can be further exploited in synergistic ways to find out, for example, which treatment protocols are effective, and to then use this knowledge to improve the overall system of health care.

2.3 The Nature of Medical Computing The medical community has been slow to accept and use automation. For many years automation was confined primarily to hospital business office applications, such as billing, scheduling, inventory, bed census, and the like. Similarly, its impact on private practice has been almost negligible and primarily confined to billing and a few office management aids. The real potential for automation in the clinical practice of medicine has yet to be achieved. Information age medicine has not yet arrived. The reasons are understandable. Medical practice is, of necessity, conservative. Changes come about only after they have been subjected to careful evaluation and are proven beneficial. Medical practitioners are busy, self-directed people who have little time for new and unproven concepts.

156

JOHN M. LONG

There has been a serious communication gap between the computer specialist and the medical practitioner. Computer specialists have difficulty understanding how a medical practice really works. The problem has been aggravated by a tendency to gloss over many of the complexities related to automation. Finally, and perhaps most important, the medical profession is steeped in the personalized one-to-one physician-patient relationship. Many physicians see automation as a threat to this relationship. The potential for automation in medical practice is nevertheless being recognized by more and more physicians. The 1990s will see a substantially increased use of automation in the clinical aspects of medical practice. In the past, there was little pressure on the physician in private practice to automate the office in order to keep up. There are several reasons why the climate is becoming increasingly favorable to private practice office automation. The tremendous increase in paperwork required by government and by insurance carriers has already caused many offices to use automation, at least for billing purposes. Once this happens, the potential benefit in other applications becomes more obvious and it becomes easier to implement these applications. Many doctors in practice today have seen the beneficial uses of automation in their training programs in countless experimental and operational applicatioins. Similarly, many hospitals, where the original uses of computers were business oriented, are now expanding their use of the computer into clinical areas. Computer companies and many computer service vendors, seeing the tremendous business potential, are promoting the use of computers in medical practice. Similar potential exists in the physician’s office. The physician’s office contains a number of systems that operate more or less simultaneously. Usually, each system consists of a set of policies and procedures defining how the system operates, a means of providing a serviceor function (such as space and equipment), forms or some other means of recording data, and, most important, personnel trained to make the system operate properly. When all of the interlocking systems in the office have been described, the office operations are defined and open to the use of computers (Oberst and Long, 1987).

2.3.1 Special Characteristics of Clinical Databases Commercial database management systems (DBMS) are not designed to handle the storage of clinical data because clinical data are found in so many formats: (a) Most laboratory results can be stored in computers because these data are usually precise numerical measurements made on an absolute or relative scale.


157

(b) Clinical observations are often reported on a finite-point scale and can be stored in a computer. Binary scales are frequently used to indicate the presence or absence of a sign or symptom, a positive or negative result, or an increase or decrease in some observed phenomenon. Multiple point scales such as “much better,” “better,” “no change,” “worse,” or “much worse” can also be recorded in a computer. (c) Symbolic scales are a little harder for computers to handle. Findings reported in English words such as color, texture, softnesslhardness, tenderness, swelling, and appearance can be stored without too much difficulty, but they are harder to compile and evaluate because of their open format and subjective nature. (d) Results plotted on a graph, such as ECGs, require special equipment and software in order to be stored in a computer. ECG signals can be digitized (many modern ECG charts are digital) but merging a digital version of an ECG into an automated medical database is a complex procedure that cannot be performed in a typical commercial DBMS. Of course, the results of an evaluation of an ECG can be stored. (e) Clinical results recorded on film (x-rays, coronary cines, xanthomas) are even harder to store electronically. These can be scanned, digitized, and stored. In fact, more and more of them are being recorded originally in a digital form. However, the capacity to store and read film electronically is beyond the capabilities of the DBMSs used in the local physician’s office. New multimedia systems can solve this problem. (f) Time-dependent results, such as tables of temperature and blood pressure, can be stored and the results summarized in very useful ways. Time plots, although a bit complex, probably can be handled by certain existing commercial DBMSs.

No known DBMSs can simultaneously store the wide variety of variables we have described in an efficient manner, if at all, let alone merge them into a coherent whole. But that is precisely what is needed! The new multimedia systems now being developed would seem to be most relevant to the field of medicine. Such comprehensive systems are imminent. As this chapter goes to press, the general news media are publicizing an announcement by the Microsoft and Intel Corporations of a new chip and related software that will allow the recording and play-back on a computer monitor of brief cine segments. This appears to be the final part of the components needed to store and retrieve a comprehensive medical record, including all the types of records we have just described.

158

JOHN M. LONG

2.3.2 Managing the Medical Information Explosion There are several dimensions to the information explosion relevant to clinical practice. The medical records of individual patients is the major dimension. Doctors also need to keep up with relevant changes in medical knowledge. Huge databases of highly relevant medical knowledge are widely available, including those provided by the National Library of Medicine. The library provides on-line retrieval of the title, author, key words, and abstract of virtually all medical research articles published in the world today. The system’s evolution is continuing. In addition to medical literature, there are medical records, medical research databases, insurance records, peer review data, disease registries, and pharmacy information. Patient care protocols and on-line interactive consultations are among the more recently offered information databases.

3. Special Issues in Medical Computing 3.1

Legal and Ethical Issues

There are certain risks associated with the use of computers in clinical medicine including a number of important legal and ethical issues.

3.1.1 Privacy and Security Privacy is essentially an ethical issue. In the context of computers, it arises primarily in relation to automated medical records. Security is an issue that concerns the physical protection of sensitive medical databases. The privacy issue is certainly not a new one. The patient-physician relationship has been well established for many years. Strong legal and ethical forces have provided reasonable protection to the patient and physician while sometimes allowing society to intrude in order to take care of certain overriding needs (for example, reporting communicable diseases). The principal way in which automated medical records may disrupt these well-established procedures is by making it much easier to obtain patient records. Automated records are, of necessity, better organized and more easily retrievable. There are no magic ways to maintain the security of automated medical databases. Ordinary common-sense precautions are best. An on-line system that exposes confidential records to a public communications network makes the data highly vulnerable not only to computer hackers but to individuals who are more serious in wishing to exploit the data and harm


159

both the physician and his or her patients. Such confidential data should not be placed on-line in a public network. When medical records are kept off-line (that is, not connected into a public communications network), the security which is needed is no different than that needed to protect manual systems.

3.1.2 Computer-Related Illnesses As automation increases there will be more patients with computerrelated complaints. Much has been written concerning medical complaints caused by extensive computer terminal usage. Eye strain and painful neck, wrist, and shoulders are frequent complaints of terminal operators. When these situations are encountered, certain adjustments can be made. CRT screens that are designed to reduce glare are available. Terminals that are adjustable in terms of distance, angle, and heights of both the monitor and keyboard may be selected. Indirect lighting may be reduced and ergonomically designed chairs introduced. The Department of Labor has examined the overall effect of office automation on workers as has the Rand Corporation. These reports emphasize that proper planning, physical working conditions, and thorough training can and should increase job satisfaction. So far, there is no conclusive data that video display terminals emit harmful radiation. Nonetheless, certain labor unions representing terminal operators keep raising this issue. Computers can create anxiety and stress, an issue with medical overtones. A major cause of anxiety and stress results from worker displacement and unemployment caused by automation. Automation has resulted in a significant displacement of workers in the communications, insurance, printing, and banking industries. More displacements are coming.

3.2 Validation, Regulation, and Standardization: A Dilemma How to control computer-based medical products and services is controversial but important to all practicing physicians because these products and services are significantly influencing the way medicine is practiced. Many medical devices now have embedded computers. Laboratory equipment, ECG carts, and most modern radiological devices all have computers built into them. Other medical products, such as automated medical records systems and medical expert systems, consist almost entirely of computer programs, that is, computer software. Standards are needed for computer-based medical systems so as to

160

JOHN M. LONG

facilitate the exchange of information and reduce the cost of medical computing software and hardware. Consider the value of a standard insurance claim form. This standard form has simplified office procedures and, most importantly, made it possible to prepare and produce claims automatically. The need for regulation of computer-based medical products and services is founded on a different concept. We generally accept the fact that regulation of drugs and medical devices is a legitimate function of government. As computer-based medical products become more and more directly involved in the clinical aspects of medicine, it is natural to expect that these computer-based products and services must also be regulated. Validation of these types of products and services is also a critical issue. In the validation process we determine whether software and/or hardware performs as claimed. Validation concerns have serious legal and ethical implications. For example, suppose a physician relies on a computer program to calculate the radiation dosage for a cancer patient. If, as has already occurred, the program provides an incorrect answer, who is held accountable? No doubt about it, the physician certainly is! Does the company who sold the program or the computer manufacturer share that liability? They probable do. Dozens of similar situations exist today and hundreds more are coming. Medicine is confronting a dilemma. Medical software validation procedures are not established. Regulations, it would appear, depend on good validation procedures.Very few of the standards needed for medical software exist. The physician is faced with the need to automate in an environment that has few needed controls. Caution, with a heavy dose of common sense, can go a long way toward keeping automation projects moving in the right direction. Above all, one must never abandon good standard management practices. This obvious piece of advice has not been followed in a number of medical automation projects. Because the validation of medical software is very limited at the present time and regulations are virtually nonexistent, the physician must ultimately rely on his or her own professional judgment when using medical software. If a program provides clinical advice, the doctor has to be concerned with the program’s validity and, possibly, also with regulatory issues. Use these systems only if the basis for the advice is understood and accepted. Hardware standards apply more generally to areas besides medicine and are fairly well established. Thus, considerations regarding computer hardware are less complex and similar to those for users generally. The one exception is computer hardware embedded in a medical device. The previously mentioned error in calculating a radiation dose was done on an embedded computer.


4.

4.1

161

A Review of Computer-Based Medical Systems Automated Medical Records Systems: Problems and Opportunities

From the beginning, when people first began to think of using computers in medicine, automation of medical records was considered. As stated earlier, it is a key element of many computer-based medical systems. One might have expected it to be among the first things in medicine to be automated. This has not been the case. Some automation of medical records did occur. Hospitals emphasized the automation of those aspects of the record needed to automate billing. Some doctors’ offices also have a similar level of automation, but progress has been very slow. Over the years, a few people have persisted in their efforts to automate medical records. Studney reported on a w paper less^' office experiment in 1981. Another example, the work of Weed and others, stands out in this regard (Weed, 1975; Wakefield, 1983). Weed worked first to change the record to a rational format so it could be automated and then developed a way of doing this sensibly and efficiently. On-line records of medical and other sensitive data create serious problems related to security and privacy. A reasonably intelligent, creative, and persistent snoop probably could break into the areas of the record containing confidential data. Although the same can be said about manual medical records, it is important to recognize that placing medical records in computers and then hooking the computers into communications networks exacerbates the privacy issue. Many standards must be established before automated lifetime medical records can be used widely in our modern mobile society. Standards must be developed for both the automated medical record format as well as for the technical components of the system. Format standards should deal with the organization of the data, not the content. The medical profession will not accept the latter except in a limited context. Technical standards include such items as reading and writing methods, record size, the size of memory, and the location of these items in the record. The equipment to be placed in the physicians’ offices, in hospitals, emergency rooms, pharmacies, and elsewhere also needs to be standardized. Standardized procedures for the transmission of patient data are also needed. Procedures must specify what subgroup of the record can be transmitted to other doctors, insurance carriers, health departments, research studies, and the like. Standards are needed to determine the critical subset to be included on a personal health record card; possibilities include chronic problems, current medications, contraindicated medications, and related data.

162

JOHN M. LONG

Virtually every member of society has a vested interest in allowing controlled access to his or her medical data. Of immediate concern to the patient is the need to share data with his or her physician and other health care professionals involved in providing care. Every member of society also has a vested interest in sharing in a controlled way his or her health experiences with society as a whole. Health experiences of interest and use to society include the nature and frequency of illness, treatments used, and results. By far the most common method today for entering a patient’s history into a computer is to collect the data on forms and subsequently enter the data into a computer. This method is also almost universally used to enter other patient data collected by physicians and other staff members who use standard encounter forms. Attempts to develop systems in which the physician enters data directly into the computer have been generally unsuccessful. Systems that allow the patient to enter his or her history data directly into a computer have been successful but are not widely used. There are many advantages to automating the data entry process for an automated medical records system. 1. Results are entered on-line directly into the computer by the patient, eliminating the need for a staff person to do so at a later time. Research has shown that patients will respond positively to a properly designed system (Solomon, 1985). 2. The best way to ask a question can be carefully constructed. The same question can be asked several times and in several ways, providing more reliable data. 3. The computer can ask appropriate follow-up questions depending on the patient’s previous answers and can probe further when needed, using various branchings within the automated questionnaire itself. 4. Results go directly into the computer as a component of an automated medical record. 5 . Finally, the results can be tabulated and summarized by the system, producing an efficient and concise summary.

An automated system need not be entirely impersonal. It can use dialogue. Questions can be framed in a personalized way, such as inserting the person’s name or using the child’s name when a parent is answering for a child. It can eliminate female-only questions if the person is a male and vice versa.

4.2

Clinical Assessment and Risk Evaluation

This is a somewhat arbitrary classification for a broad area of computer applications in medicine. Clinical Assessment and Risk Evaluation (CARE)


163

covers such applications as using a computer to predict blood pressure variability in pregnancy, management of a transplantation unit of a hospital, the description and representation of ECG structures, and epigastric impedance measurements for the assessment of gastric emptying and motility. Computerized methods of analyzing EEG signals are common. Computers are used to calculate trend analyses in intensive-care units in real time. Everything from the prediction of the chronobiologic index for neonatal cardiovascular risk to modeling an artificial heart has been attempted. Computer-aided impedance cardiology is used to detect ischemic responses during treadmill exercise. A computerized remote control for an implantable urinary prosthesis has been developed. Pulmonary blood circulation has been modeled on a computer. A computer program to diagnose chest pain has been developed to the point where a clinical trial has been proposed. Medical diagnosis has been extensively subjected to computer analyses. Various techniques have been developed, including expert systems designed to improve diagnoses. Patient management has been enhanced by computers. Automated medical records, discussed elsewhere, is a major component of patient management, but there are other areas. Nursing workloads and the scheduling of equipment are managed by computers. Computers are used to manage supplies and control drug delivery and usage. The accuracy of patient care is enhanced by the use of computers. For example, drug administration can be monitored in such a way as to increase accuracy (correct drug, correct dose) and timing. The uses seem almost limitless.

4.3 Imaging Systems Computers are transforming radiology into a filmless system. The technology now exists to replace most if not all film-based radiology. Probably the most important reasons why there is any film use today are tradition, resistance to change, and the need to continue to use expensive equipment until it can be charged off. In the long run there seems to be little reason not to change. Filmless radiology is so logical. Film storage and handling has always been a problem. Digital images are stored internally in a computer and can be called up on a remote screen as needed. Indeed two people in locations many miles apart can view the same image and conduct a consultation. Digital imaging using computers makes possible threedimensional reconstruction of internal organs. As techniques improve it will be possible to observe smaller and smaller segments of normal or abnormal body parts such as small brain tumors. The transformation of radiological techniques by computers is truly phenomenal.

164

JOHN M. LONG

Literature in the field has exploded. In recent years, computer-based medical conferences have been inundated with papers reporting on research in this area. Only a few of them are included in the papers references since other publications provide extensive coverage. Several large conferences, such as the European-based Computer-Aided Radiology (CAR) conference, are devoted exclusively to this area.

4.4 Medical Devices Modern medicine depends on many medical devices that are either computer-based or include an embedded computer. They are often taken for granted. No one, for example, in an operating room during open-heart surgery thinks about the real-time performance of a half-dozen or so on-board processors using thousands of lines of code within them. Nonetheless, their reliability and accuracy are critical to the surgery. Manufacturers of computer-based medical devices face special commercialization challenges, not the least of which is to demonstrate that the system is safe and performs as intended. In a recent article Kriewall and Long (1991) described a cochlear implant device that can be tested only by surgically implanting the device into a human. Another type of device is a nuclear therapy machine. For this device controls must be designed to prevent the operator from administering an overdose. Regulations are expected to assure that medical devices are reliable and safe. As previously discussed, the FDA is attempting to do this with limited success. Reliability and quality in medical devices involves both fault-tolerant hardware and accurate software. The design and implementation cycle for medical devices must consider the potential for medical malpractice at all stages. The number of malpractice suits related to devices has increased dramatically in the past few years and this trend will continue. Malpractice considerations are dramatically affecting the design procedures of medical instruments. In 1990, Congress passed the Safe Medical Devices Act. It represents the government’s effort to shore up the ability of the FDA to regulate medical devices by broadening its control. Legislation and regulations designed to control drugs, the traditional areas for the FDA, are often either not applicable to medical devices or apply to them in an awkward way. Medical software has also come under closer scrutiny. The FDA has issued directives that attempt to define good manufacturing practice in the development of medical software. More and more often, software is replacing hardware in devices because it is more easily changed and has greater functionality than hardware. Techniques for fault-tolerant software are being developed. Multiversion software techniques are used to improve accuracy. These techniques include


165

N-version programming that requires a consensus “vote” to determine the “correct” outputs. A Recovery Block method uses an acceptance test to judge the correct output. A hybrid method combining the two is called a Consensus Recovery Block. Reliability engineering involves the use of a variety of tools to specify, predict, design, test, and demonstrate the function of a device. These tools are used in many application areas but take on a special significance when applied to medical devices. Quality concerns must also be dealt with. Medical software applications introduce unique problems. An alternative to the FDA’s way of monitoring software has been introduced by the International Standards Organization, called I S 0 9OOO. There is also a very practical side to quality concerns, such as cost controls and market needs. Quality must be a part of every step of the development cycle, beginning with understanding customer requirements, converting these requirements into equivalent engineering specifications, hazard analyses of the functional prototype, and testing under normal and reasonably expected abusive conditions. As reflected in our extensive reference list on medical devices, there are many development efforts for medical devices that use computer technology. Application areas range from an eye monitor, an implantable telemetry system, and an orthopedic implant, to a closed-loop drug delivery system, as well as various intensive-care and other patient monitoring devices. Many of the devices reported in the public literature have been developed in an academic research environment. A great deal of the really interesting work on medical devices remains confidential because of their commercial value.

5. Artificial Intelligence in Medicine Artificial intelligence (AI) is a technical area of computer science that has much relevance in clinical medicine. Expert systems and artificial neural systems are especially relevant to any discussion of computer-based medical systems. Among the very first A1 applications were those in medicine. An expert system called INTERNIST and another called MYCIN are two early and frequently cited medical applications of A1 (Miller et al., 1982; Shortliffe et al., 1975). INTERNIST was initiated by a good diagnostician in an effort to record his expertise more completely than he could using conventional forms of written communication. The project continues (Miller et al., 1985; Miller et al., 1986). MYCIN received wide publicity and inspired a number of additional medical projects using rule-based expert systems. Some of

166

JOHN M . LONG

these other applications have reached clinical use in limited settings, although, ironically, it appears that MYCIN has not (Kunz et al., 1978). An early text on expert systems listed over 50 medical expert systems (Waterman, 1986). The journal MD Computing devoted an issue to expert systems which introduced three of them (Miller et al., 1986; Kingsland et al., 1986; Tuhrim and Reggia, 1986). These systems remain essentially in academic settings. Systems have been used to enhance clinical research (Long et al., 1987). There are several reasons for the wide experimentation with artificial intelligence in medicine. A1 systems can manipulate symbolic knowledge, that is, knowledge expressed in symbols (e.g., words), making possible the automation of systems that deal with medical concepts which cannot be expressed numerically. A few, albeit quite simple, techniques have been developed that allow one to program a computer so as to imitate the kind of subjective judgmental reasoning that is used by doctors when they are practicing their profession. Expert reasoning is based on experience that often cannot be reduced to a conventional algorithm. Medical applications are especially popular in A1 because the diagnostic and other reasoning processes of medicine, while highly complex and somewhat subjective, do follow an intelligent rational path based on reasonably well-defined practices and a body of knowledge. Medical diagnoses and other medical decision-making processes are often “fuzzy.” Expert systems allow for the uncertainty that is inherent in clinical judgment. Heuristic rules can approximate the reasoning process actually followed by a clinician. Artificial neural systems (ANS), another area of A1 closely associated with medicine, are themselves inspired by the human neural system and attempt in a simplistic way to imitate it. Artificial neural systems have been developed that can be trained to think and “learn.”

5.1

Expert Systems

5.1.1 Overview Almost anywhere today one can find articles about expert systems. This rather specialized branch of computer science is not new. Although it has only recently emerged from academia, it goes back to the 1960s when there was a major effort to use computers to translate from one language to another, especially from Russian to English. Although there has been some progress, a workable computer translation system is still far from realization today. However, as is usually the case, some very useful and practical applications have evolved from this general research area.


167

Expert systems are a part of a branch of computer science called Artificial Intelligence or simply AI. The name, “artificial intelligence,” conjures up negative feelings for many people. Some prefer to use the term “machine learning.” Artificial intelligence is that area of computer science that attempts to build systems which can imitate intelligent human-like processes. The field is broad and includes, besides expert systems and artificial neural systems, robotics, voice recognition and computer vision systems, and natural language research. There are several reasons for all of this activity related to the use of expert systems in medicine. 1. There is a new understanding that computers can manipulate symbols as well as numbers. Computers used to be thought of as “number crunchers. ” Numbers were used to code virtually all symbolic information, such as names and categories. Computer printouts had to be decoded. Advances in computer systems over the years, in both hardware and software, now facilitate the storage and manipulation of symbolic knowledge such as English words. This allows computers to work with medical concepts that cannot be reduced to numbers. 2. A few, albeit quite simple, techniques have been developed that allow one to program a computer to imitate the kind of subjective judgmental reasoning that is used by experts, such as doctors, when they are practicing their profession. Such reasoning is often based upon experience that either cannot or has not been reduced to a conventional written form. Expert systems provide a means of recording certain kinds of knowledge that has not been recorded in any other way. 3. There has been a continual decrease in computer costs. The costs of the large computer capacity required to record and manipulate the symbolic knowledge needed by expert systems is now low enough as to make them feasible. Costs are hundreds and thousands instead of millions of dollars. 4. Computers have become “user friendly.” They are relatively easy to use and are accepted and used by many physicians. This allows clinical experts who know little or nothing about computers to be more intimately involved in the process. 5 . Medical applications are especially popular in A1 because the diagnostic and other reasoning processes of medicine, while highly complex and somewhat subjective, follow an intelligent rational path based on reasonably well-defined practices and a body of scientific knowledge. 6 . Most medical decision-making processes like diagnosing and treatment selection are inexact. The heuristic programming methods of A1 are

168

JOHN M. LONG

especially suited to such problems. Expert systems allow for the uncertainty that is inherent in clinical judgment. The heuristic rules of A1 can approximate the reasoning process actually followed by a clinician.

5.1.2 What Is an Expert System? Expert systems technology uses a totally different approach to the design of computer-based programs. The value of this approach is based on two very important elements not found in conventional computer programs. The programs incorporate and use nonnumerical knowledge about the specific application area of the system. They also operate with incomplete information and arrive at the best solution possible under the circumstances in much the same way that human experts would do under similar conditions. Two components of the system are especially important: the knowledge base and the inference engine. The knowledge base contains the background of clinical knowledge that is needed to work with individual clinical cases. Conventional computer programs contain only the defined and predetermined programming steps that are used to manipulate data. The inference engine is that part of the computer program that would, for instance, analyze data from an individual patient using general clinical knowledge contained in the knowledge base. The expert system uses methods, usually in the form of rules, that are roughly equivalent to heuristic human-like thought. Conventional computer programs use only predetermined and pre-set algorithmic methods. In expert systems, the knowledge stored is primarily symbolic (that is, nonnumeric) in the form of rules, attributes, and frames of related facts that represent the known and relevant information about the clinical topic it covers. An expert system is engineered to imitate the methodology and rationale of an expert. It is based on the expert’s experience and goes beyond knowledge that can be found in books. These experimental methods are called heuristics or “rules of thumb.” By their very nature expert systems are capable of explaining the reasoning process used to arrive at a conclusion. This is especially important in medical practice, because it makes it possible for physicians who use them to check the validity of, and have confidence in, the results. Systems have been built that attempt to imitate a medical expert in diagnosing, in consulting, when examining a large database for new medical knowledge, and when analyzing clinical data when clinical judgment is required (Miller et al., 1982; Shortliffe et al., 1975; Waterman, 1986; Long et al., 1987). The latter effort is especially relevant in clinical trials and other areas of clinical research that rely heavily on clinical judgment for the analysis of data.


169

Using a broad definition, any computer-based system designed to imitate the intellectual processes of an expert can be called an expert system. Using this definition for example, programs written in the 1960s to analyze electrocardiograms are expert systems. Many articles written in medically oriented publications seem to adopt this broad definition. Most computer scientists would probably not accept such a definition. Those working in the A1 area probably prefer to use a narrow technical definition. They would be more apt to define expert systems as systems that are built using the techniques of A1 and developed (though not necessarily operated) in one of the A1 computer languages such as LISP (for LISt Processing) or PROLOG. Techniques of A1 include such methods as the use of rules and frames to represent knowledge and the use of A1 inferencing techniques t o maneuver through the system (for example, in backward and forward chaining) to reach a goal. The author favors the latter definition. If one uses the broader definition one may conclude that some of the commercial systems now on the market are expert systems. Using the narrower definition, it is doubtful that any of the commercial products offered today are true expert systems.

5. 1.3 Examples of Medical Expert Systems Current expert system projects in medicine cover a broad range. Expert systems have been built as an aid in diagnosis, consulting, discovery of new medical knowledge, and the analysis of clinical data when clinical judgment is essential (Miller et al., 1982; Shortliffe, 1975; Kunz, 1978; Waterman, 1986; Blum, 1982; Long et al., 1987). It seems clear that the following are the broad areas where medical expert systems will first be introduced into clinical practice. (a) Diagnostic Aids. Diagnostic aids based on A1 technology that are now coming on the market can do several things. First, they make it less likely that a doctor will miss a diagnosis because of a lapse of memory. Humans tend to see things in their current context (X is going around or is common in the practice so X comes to mind), whereas an expert system will consistently follow its own rules in order to consider all options and reach a consistent conclusion. Also, a properly designed expert system will allow a doctor to research cases more easily by cutting through the volumes of data available to get at the relevant cases. (b) Drug Evaluation and Selection. The Physician’s Desk Reference is now available on-line in doctors’ offices. A true expert system can go well beyond this and provide, for example, the added feature of helping one move quickly to relevant issues.

170

JOHN M. LONG

(c) Consultations. Certain types of data that are normally acquired by a consultation can be programmed into an expert system. To a large extent, this amounts to recording in a more usable format information which could be otherwise found by calling a specialist or through a literature search. Some of these automated consultations will point to the relevant literature. Consultants, the human kind, are not going to be replaced by these systems, but a properly designed expert system, whose knowledge engineering is based on the knowledge and experience of the best clinical experts, can do far more than many doctors realize. (d) Treatment Protocol Selection. Cancer treatment represents a good example of how an expert system can be used to help a doctor select the best treatment protocol. To assist doctors with the huge volume of data involved the National Cancer Institute has licensed BRUSaunders to offer a system called PDQ (Physician’s Data Query). Another system dealing with birth defects that operates in a way similar to PDQ is also commercially available. (e) Clinical Data Analyses and Summaries. From a practical standpoint for the practicing physician, an expert system which could produce a condensation and summary of a set of data relevant to a certain patient would be very useful. When available, these systems will assimilate and summarize for the physician the large volumes of data that have been collected on patients in an intelligent and useful way. It has been shown that patient care can be just as good when the physician uses such a summary as when the physician tries to use the entire medical record (Whiting-O’Keefe et al., 1985). (f) Continuing Medical Education. Continuing medical education is needed by both physicians and patients. Expert systems can enhance and improve computer-based education. Computer-based interactive courses using expert system technology represent an excellent alternative to texts (tedious) and courses (expensive). The possibilities are very interesting. The same basic course can be tailored automatically to the specific needs of each individual. Educating patients on how to care for themselves is also important for a variety of reasons, including cost containment. Patient and family member training in ways of living with chronic diseases, such as diabetes and heart disease, is especially important. When expert systems technology is combined with the new high-capacity laser-disk storage technology, courses can include a variety of new teaching techniques, such as color video sequences that demonstrate how to do special procedures. Expert systems provide a quantitative


171

leap over texts in teaching effectiveness and can approach the effectiveness of the “real thing.” The potential use of expert systems in medicine is quite broad and many of these uses promise to be valuable. There is an important missing link. It is the lack of adequate standards and validation procedures for them. Ultimately, something comparable to the regulatory mechanisms of the Food and Drug Administration (FDA) seems to be needed.

5.1.4 An Example of How Expert Systems Are Built Here is an example of how one expert system was built. It was designed to analyze clinical trial data where the analyses required the use of clinical judgment. This small expert system was built in order to test the methodology. It assesses the data obtained from a pair of serial gradedexercise ECG tests and duplicates the decision reached by a cardiologist regarding changes in patient performance (Long et al., 1987). An abbreviated glossary of A1 terms used to describe the development process can be found in Table I. The basic steps for building the expert system are to develop the knowledge base and to select (and modify, if required) the inference engine. Alternatively, one could custom build the inference engine, an option not considered. The knowledge base contains the rules and facts that fuel the inference engine. The inference engine is that part of the system that interprets the rules and facts as it runs the system. For the system reported here, one domain expert, a cardiologist, worked with the knowledge engineer to transfer his knowledge into the expert system. A fully developed system would need to use additional input from this cardiologist and other cardiologists as well. A development tool, called AGNESS (A Generalized Network-based Expert System Shell) was used to build the system (Slagle et al., 1986). AGNESS was developed using the specialized programming language used by many people working in artificial intelligence, especially in the United States, called LISP (for LISt Processing). The rules were developed to approximate that used by a clinician when evaluating the same basic clinical data. This was accomplished through an interactive process in which the knowledge engineer and expert met to discuss and analyze sample problems. The domain (clinical) expert verbalized his thought processes as he worked through a set of problems. He explained the factual knowledge he used from scientific literature, often citing results of research performed by himself and others. It is especially important to note that he also used and explained, as best he could, the

172

JOHN M. LONG TABLEI ABBREVIATED GLOSSARY OF A1 TERMS

Antecedent: The first part of a rule clause containing a pattern or attribute that must be matched. If the antecedent of a rule being tested is true, the consequent (or action) of the rule is evaluated. Also called the premise. The “IF” part of a rule. Arc: A method of connecting nodes that implies relationships. Attribute: A feature or property of an object. Backward chaining: An expert system control procedure that starts reasoning from a goal and works backward toward preconditions. Consequent: The “THEN” part of a rule, which contains the conclusion function(s) to be evaluated if the antecedent or premise is true. Also called the action. Domain: The problem area whose solution is addressed by the knowledge base and the inference engine. Domain expert: A human expert in the problem area who helps the knowledge engineer build the knowledge base and rules. Expert system: A software program that infers a solution to a problem in a particular area of expertise using a human-like reasoning process including heuristic reasoning. Forward chaining: An expert system control procedure that works from subgoals or preconditions toward the main goal by applying rules. Frame: A knowledge representation method that associates features with nodes representing concepts or objects. The features are described in terms of attributes (called slots) and their values. Heuristic: A technique or assumption that is not formal knowledge, but which aids in finding the solution to a problem. A rule of thumb or clue as to how to carry out the task. Inference: A reasoning step or hypothesis based on current knowledge; a deduction. Inference engine: The part of the expert system that infers a solution to a problem by applying the rules and facts in the knowledge base to the problem. Knowledge base: The computer representation of the domain expert’s knowledge. Contains parameters (facts), rules, and user-defined functions. Knowledge engineer: The person who specializes in designing and building expert systems by formalizing information gain from the domain expert. LISP: A programming language for procedure-oriented representation that is often used in artificial intelligence. The acronym comes from LISt Processing. LISP machine: Computers with architectures specifically configured to execute symbolic processing software coded in LISP. Natural language: The conventional method of exchanging information between people; English. Node: A place in the network where a piece of information or a value or a function is located. Prolog: A programming language for logic-based representation that is often used in artificial intelligence. Rule: A combination of facts, functions, and certainty factors in the form of an antecedent (premise) and a consequent (action), as in an “IF.. . THEN” sentence. Semantic network: A knowledge representation method consisting of a network of nodes standing for concepts or objects, connected by arcs describing relations between the nodes. Workstation: An A1 workstation is a microcomputer that is specifically designed to accommodate the development of expert systems and other work in artificial intelligence. It may involve both the architecture (hardware) of the computer as well as the software it uses, including a LISP compiler and other software aids.


173

“rules of thumb” or heuristics that he found helpful. Heuristics are based on experience rather than upon book knowledge and their incorporation into the system is one of the unique reasons why expert systems work. As these sessions progressed, the knowledge engineer formulated, modified, discarded, replaced, and expanded the rules used by the domain expert, either stated or implied. The computer version of the rules are often of the “IF.. .THEN” type. The IF part, called the antecedent (or premise), contains the pattern or attributes that must be matched for the rules to be used. The THEN part, called the consequent, contains the action to be taken or the assertion to be made when the antecedent is satisfied. A set of representative cases were carefully selected so as to present to the expert a variety of typical situations and to stimulate explanations by the clinician as to what he was doing to solve the case. Each of the sessions between the engineer and the expert were tape recorded and later analyzed by the knowledge engineer in order to extract and define the rules for the expert system. The resulting expert system was tested on a set of 100 cases in order to validate the system. The cases were selected to be representative of all the different types of results. Each of the cases was evaluated individually by two different members of a panel of five expert cardiologists. The 100 pairs of tests were evaluated in such a way that each reader’s cases within a group were equally distributed among the other four readers for the other reading. We then examined the conclusions made by the expert system to determine how the rules were working; that is, how well they matched the individual cardiologists’ evaluations. A third method was also used. The 100 cases were evaluated using multiple linear regression equations. It is interesting to note that several of the variables used in the multiple regression equation had obscure clinical meanings. When the pairs of tests were evaluated by either of the two cardiologists, or by the expert system, or by the multiple regression equation, the conclusion was whether or not a patient’s result was better or worse from the first to the second test using the following seven-point scale: 1 = muchworse

2 3

worse slightly worse nochange slightly better 6 = better 7 = much better

= = 4 = 5 =

The three methods for evaluating the test data were compared in two different ways as to how well they agreed with the cardiologists. “Exact”

174

JOHN M. LONG

agreement meant that the same point on the seven-point scale was used as the conclusion for both of the evaluations being compared. Agreement “within a single category” meant that the two evaluations used the same or immediately adjacent category of the seven-point scale. That is, the absolute value of the difference between the two evaluations was 1 or 0. The comparisons were made based on the percentage of agreement of the cardiologists among themselves, with the expert system, and with the multiple regression equation, respectively. Table I1 summarizes the average results. For “exact” agreement the expert system agreed with the cardiologists about as well as the cardiologists agreed among themselves. They agreed with themselves 41.O% of the time and with the expert system 41.7% of the time. The expert system did much better than the multiple regression equations, which agreed with the cardiologist 34.0% of the time. For agreement “within a single category,” the expert system performed best. It agreed with the cardiologists 83.5% of the time. The multiple regression equations’ evaluations, at 81.5%, did better than the cardiologists who agreed among themselves “within a single category” 76.0% of the time. After making allowance for normal variation, it was concluded that even a very basic expert system can evaluate serial graded-exercise ECG test data about as well as, and may actually perform better than, either the individual cardiologists or multiple regression equations.

5.1.5 Strengths and Weaknesses of Expert Systems The experimental expert system did very well when it is considered that it was designed using the knowledge input of just one cardiologist and using only a limited number of iterations of the knowledge engineering process. The purpose of developing the expert system was to examine the ability of such an expert system to provide clinical researchers with a new tool to TABLE 11 AVERAGE CARDIOLOGISTS’ READINGS COMPARED AMONG THEMSELVES, TO MULTPLE REGRESSIONEQUATIONS, AND TO THE EXPERT SYSTEM

Exact Within a single category

Card. vs Card.

Card. vs Reg. Eq.

Card. vs Expert System

42.0% 76.0%

34.0% 81.5%

41.7% 83.5%


175

evaluate clinical research data when clinical judgment is an important element in the evaluation. This simple purpose was accomplished. It is interesting that the expert system matched or slightly improved upon the performance of the statistical method. This may be because the analysis of serial data includes a strong component of clinical judgment which is more easily accommodated by an expert system. This does not imply that expert systems can replace statistical methods. Indeed, they cannot! However, there are a number of situations, such as the serial evaluation of graded exercise ECG test data, where expert systems can be used to improve upon and automate the process. The point is that expert systems provide an additional analytical tool for clinical research studies, especially clinical trials. Sometimes expert systems will work better than statistical methods alone. There are times when it would appear to be inappropriate to use an expert system (e.g., where clinically meaningful and objective measurements can be obtained). A not uncommon situation might involve the use of some combination of the two approaches. For the evaluation of serial clinical data such as graded exercise ECG test data, it appears that a fully developed expert system will provide clinical researchers with more information than can be obtained from conventional statistical methods such as multiple regression. Furthermore, expert systems are far more efficient and practical than individual experts or a panel of experts for evaluating data, provided there are a large enough number of clinical comparisons to justify the development costs. The cost to develop and use expert systems appears to be reasonable. This is especially true now that expert system development shells such as AGNESS are widely available. The prototype expert system reported here was developed using about ten hours of a cardiologist’s time and 100 hours of the knowledge engineer’s time, including about 50 hours on an A1 workstation. There is another point to be made regarding the use of expert systems. This involves the need to use analytical methods that are clinically meaningful. Expert systems, by their nature, have this. In the demonstration project some of the variables used by the multiple regression equations for prediction had clinically obscure meanings. The cardiologists were not especially comfortable with this situation. They also felt that the statistical method used too little of the clinical data available (that is, too few of the variables were employed). There is still another benefit to be gained from the development of expert system. Even though the focus of the project was to test expert systems for the analysis of clinical trials data, and not on how to evaluate ECGs, the knowledge engineering process added to the knowledge and understanding of the mental processes cardiologists use in assessing serial graded exercise ECGs.

176

JOHN M. LONG

The expert system that has been described demonstrates that these systems can automate the analysis of some clinical trial data and other types of serial clinical research data. This is a new and different way to use expert systems in medicine. Clinical research projects can use expert systems to automate these types of analyses, thereby relieving the professional and/or technical staff of the rote processes now commonly used to analyze these types of clinical data. This can be done without sacrificing the amount of information derived from the data, which could be the case if conventional statistical methods are used.

5.1.6 Current Status of Medical Expert Systems As demonstrated, expert systems will work for certain types of welldefined projects, such as the serial assessment of clinical trial data that require clinical judgment in its assessment. The question remains as to how far one might be able to go using this new technology. Almost none of the medical expert systems built so far have been used in a real-world clinical setting. Those that have been used in a clinical setting have been used only in the clinical setting where they were developed. HELP (Health Evaluation through Logical Processing) may be one of the rare exceptions; developed by a team headed by Homer Warner and marketed by Control Data Healthcare Systems, it has been installed in several hospitals. As it stands today, there are some serious drawbacks to using expert systems in clinical practice. There are some important missing links. Perhaps the most important ones are the lack of adequate standards and validation procedures. It is possible that something comparable to the regulatory procedure used for the control of drugs by the United States Food and Drug Administration is needed for these expert systems. The subject is controversial. Testimony before the United States Congress in April of 1986 brought forth several people who objected to governmental control of this newly emerging technology. Those opposed to government regulations do so because they feel regulations will squelch a very fluid and truly creative and exciting new area in medicine (McDonald, 1986). They further feel physicians do not need them since they are intelligent enough to judge the systems for themselves and have the training and experience to use them in an appropriate way. They contend that expert systems are simply a new and advanced way of recording and retrieving knowledge similar to the way it is done using books and journals. Medical publishing is not controlled by the government and does not need to be, nor do expert systems, they contend. Resolution of the controversy may depend upon whether expert systems will be considered an extension of the publishing medium or a new medical device that must be controlled. It is this author’s


177

opinion that expert systems can and will eventually go far beyond that of published materials in influencing and directing clinical practice. Government regulation of expert systems is inevitable. It is only a matter of time and will probably occur in the not too distant future. Those of us who wish to build and/or use expert systems in clinical practice need to be concerned about these matters. Fortunately, for those who wish to use expert systems for data analysis in clinical trials and other clinical research areas, the problems related to clinical practice do not apply. This group of users can devote their energies to the fundamentals of building and using expert systems. The two aspects in the development of them that need attention relate to knowledge representation and inferencing techniques. Methods of knowledge representation are under intensive research. Perhaps the most fundamental and surprisingly simple contribution of this research so far is the IF-THEN format for the representation of knowledge. Semantic networks allow rules to be built into causal chains that allow a “deeper” level of knowledge representation. These tools work quite well for building a system for a limited and well-defined problem such as the one described in this article. Current methodology for building expert systems generally provides for fairly complete separation of the knowledge base and the inference engine. For most practical applications today, the use of inference engines and expert system shells, such as those we used for the demonstration project, would appear to be the way to go. There are several excellent reviews of the field (Waterman, 1986; Shortliffe et al., 1990).

6. Concluding Remarks 6.1 A Brief Look Toward the Future This chapter covers, as well as the author is able to do, the revolution (the term is used advisedly) that is being brought about in medicine because of the technological developments related to the merger of the computer and communications, that is, information age medicine. We call the related systems computer-based medical systems (CBMS). The pace of the revolution has been quite deliberate, as one would expect in the healing profession. Among the earliest applications, beginning in the early 1960s, were the automation of electrocardiographic data analyses and laboratory quality-control systems. Medical records automation, initially related to billing and inventory control, were also attempted at about the same time. However, it was not until the rise of the personal computer that

178

JOHN M. LONG

the private practice physician began t o pay serious attention to computers as they relate to clinical medicine. Certain specialties adapted to computing early. Radiology entered the computer age early using computer axial tomography (CAT) scanners. This was followed by magnetic resonance imaging and, currently, digital imaging of general radiology. Filmless radiology seems inevitable in the not too distant future. As the medical records system becomes more completely automated, medicine will be able to move to a more advanced state of information age medicine. Because of the existence of these records, statistical analyses can be used to manage public health, including such items as the comprehensive evaluation of patient care protocols, of drugs, and of the long-term outcomes of treatment among other statistical evaluations. For example, cost-effective treatments can be identified. Comprehensive care over a lifetime can become a reality. Both macro and micro management can be improved. A new kind of medical professional, perhaps called a “medical information specialist,” is apt to emerge. In a more personal context, patients can be responsible for, and more in control of, their individual health. In addition to the comprehensive personal patient data on each patient, a physician also has direct access to virtually all relevant medical knowledge through the doctor’s desktop computer. With the advent of multimedia systems, the doctor can also call up and observe x-rays, coronary angiograms, color slides, and other laboratory data as well as text material. In the not too distant future, without leaving his desk a doctor might feed certain parameters, such as vital signs and symptoms and laboratory data, into a desktop computer and receive in return suggested patient care protocols, including drug regimens. The feedback will include appropriate literature references and other background material, such as contraindicated medications, potential side effects, alternative treatment regimens, and how and when to seek a consult. Computer-based medical systems also offer interesting possibilities for patient education and for the continuing education of health professionals. They will be the bases of improved clinic and hospital management, including cost controls, simple and automated medical records collection systems, and better scheduling of health professionals as well as expensive equipment. Technology today often seems to depersonalize medicine but information age medicine can and should do exactly the opposite. Certain computer-based medical systems are now pushing the limits of traditional controls over medical practice. Professional control by doctors will not change, at least on the surface. However, subtle changes, such as those brought about by the use of expert systems, will make the clear line of authority of the doctor fuzzy and confused. The traditional methods used


179

by the FDA to regulate drugs will not work with computer-based systems. New methods will have to be developed. As is the case with many other areas of science and the professions, information age medicine offers many opportunities as well as pitfalls.

6.2

Summary

This chapter includes a discussion of many of the areas of medicine that are changing due to the impact of computers. Computer-based medical systems are revolutionizing medicine and moving it into the information age. The pace is deliberate as is appropriate for an area that deals with human health. The potential for great benefits exist and many have already been accomplished. By the same token, the changes being brought about because of computers create new problems and exacerbate existing ones. Patient privacy and confidentiality are challenged; traditional controls over medicine are challenged. Ethical and legal issues related to the use of computer software and hardware in patient care are raised. Some of these issues are described and discussed in the second and third sections of this review article. The fourth and fifth sections discuss specific computer-based medical systems. The continuing automation of medical records is bringing medicine into the information age. Systems designed to assist in clinical evaluations are described. Imaging systems are only briefly discussed even though radiology is probably the most advanced of any medical specialty in its use of computers. The limited coverage here is due in part to its adequate coverage elsewhere. Medical devices, which are incorporating more and more pieces of computer technology, both hardware and software, represent a real dilemma for medicine since their regulation challenges traditional approaches. A special section has been reserved for those computer-based medical systems that rely on artificial intelligence. Artificial intelligence technology has a special symbiotic relationship with medicine. Quite a bit of the research in artificial intelligence has used medicine as a model. This is especially true for artificial neural systems. Many of the systems originally came out of neurophysiological research and were developed in an attempt to model the function of the human brain at the neuron level. At the same time, the development and study of some artificial neural systems have provided new insights for neurophysiology. Current artificial neural systems have broad applications outside of medicine and none of them resemble too closely the actual human brain. An extensive list of references are included and it is divided into the same major categories of computer-based medical system used in the text.

180

JOHN M. LONG

References A. GENERAL Blum, R. L. (1982). Discovery, confirmation, and incorporation if causal relationships from a large time-oriented clinical data base: The RX Project. Computers and Biomedical Research 15, 164-87. Kingsland, L. C., Lindberg, D. A. B., and Shamp, G. C. (1986). Anatomy of a knowledgebased consultant system: AI/RHEUM. MD Computing 3(5), 18-27. Kriewall, T. J. and Long, J. L. (1991). Computer-based medical systems. Computer24(3), 9-12. Kunz, J. C., Fallat, R. J., McClunz, D. H., Osborn, J. J., Votteri, B. A., Nii, H. P., Aikins, J. S., Fagan, L. M., and Feigenbaum, E. A. (1978). A physiological rule-based system for interpreting pulmonary function test results. Heuristic Programming Project, Report No. HPP-78-19, Stanford University. Ledley, R. S. (1966). Use of computers in biomedical pattern recognition. Adv. Comp. 10, 217-52.

Long, J. M. (1986). On providing a lifetime automated health record for individuals. Proc. MEDINFO86 5 , Washington, DC., pp. 805-9. Long, J. M., Slagle, J. R.. Leon, A. S., Wick, M. W., Fitch, L. L., Matts, J. P., Karnegis, J. N., Bissett, J. K., Sawin, H. S., and Stevenson, J. P. (1987). An example of expert systems applied to clinical trials: Analysis of serial graded exercise ECG test data. Control Clinical Trials 8, 136-45. Long, J. M. (1987). The portable automated medical record: A new technology that raises “old” issues for medical record standardization. Topics in Health Record Management 8(2), 44-9.

McDonald, C. T. (1986). Editorial: Medical software regulations, why now? MD Computing 3(5), 7-8. Miller, A. R. (1971). “The Assault on Privacy-Computers, Data Banks, and Dossiers,” University of Michigan Press. Miller, R. A., Pope, H. E., and Myers, J. D. (1982). INTERNIST-1, An experimental computer-based diagnostic consultant for general internal medicine. New Engl. J. Med. 307(8), 468-76. Miller, R. A., Schaffer, K. F., and Meisel, A. (1985). Ethical and legal issues related to the use of computer programs in clinical medicine. Ann. Int. Med. 102(4), 529-36. Miller, R., Masarie, F. E., and Myers, J. D. (1986). Quick medical reference (QMR) for diagnostic assistance. MD Computing 3(5), 34-48. Norman, K. L. (1988). Models of the mind and machine: Information flow and control between humans and computers. Adv. Comp. 32, 210-54. Oberst, B. B. and Long, J. M. (1987). “Computers in Private Practice Management,” Springer-Verlag, New York. O’Kane, K. C. (1983). Computers in the health sciences. Adv. Comp. 27, 211-63. Shortliffe, E. H., Davis, R., Axline, S. G., Buchanan, B. G., Green, C. C., and Cohen, S. N. (1975). Computer-based consultations in clinical therapeutics: Explanation and rule acquisition capabilities of the MYCIN system. Comput. Biomed. Res. 8, 303-20. Shortliffe, E. H., Perreault, L. E., Wiederhold, G., and Fagan, L. W. (1990). “Medical informatics.” Addison-Wesley, New York. Slagle, J. R., Wick, M. W., and Paliac, M. D. (1986). AGNESS: A Generalized Network Based Expert System Shell, Proceeding of the Fifth National Conference on Artificial Intelligence, Vol. 1.


181

Solomon, M. (1985). Automated medical history-taking. Connecticut Med. 49(4), 224-6. Tuhrim, S. and Reggia, J. A. (1986). A rule-based decision aid for managing transient ischemic attacks. MD Computing 3(5), 28-33. Wakefield, J. S. (ed.) (1983). “Managing Medicine: How to Control Your Problems, Your Health, and Your Medical Expenses,” Medical Communications and Service Association, Kirkland, WA. Waterman, D. A. (1986). “A Guide to Expert Systems,” Addison-Wesley, Boston, 272-88.

Weed, L. L. (1975). “Your Health and How to Manage It,” Essex Publishing Company. Westin, A. F. (1967). “Privacy and Freedom,” Atheneum Press, New York. Westin, A. F. and Baker, M. A. (1972). “Databanks in a Free Society,” Quadrangle Books, New York. Westin, A. F. (1973). Computers and the public’s right of access to government information. Adv. Comp. 17, 283-315. Whiting-O’Keefe, Q. E., Simborg, D. W., Epstein, W. V., and Warger, A. (1985). JAMA 254, 1185-92.

Information as a “cure” for cancer (1986). Science 232, 1594-5.

B. VALIDATION, REGULATION, AND STANDARDIZATION Cagnoni, S. and Livi, R. (1989). A knowledge-based system for time-qualified diagnosis and treatment of hypertension. I n Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 121-3. Connolly, B. (1989). Software safety goal verification using fault tree techniques: A critically 111 patient monitor example. I n Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 118-20. Fries, R. C. and Riddle, R. T. (1989). A software quality assurance procedure to assure a reliable software device. I n Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2 , Computer Society Press, pp. 135-8. Fries, R. C., Stoeger, K. J., Zombatfalvy, D. A., Roberts, J. A. Leen, J. M., and Grove, T. A. (1988). A reliability assurance database for analysis of medical product performance. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 9-14. Hallenbeck, J. J. and Dugan, J. B. (1990). Design of fault-tolerant systems. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 162-9. Hamilton, D. L. (1992). Identification and evaluation of the security requirements in medical applications. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 129-137. Ihlenfeldt, L. D. (1988). Quality begins at home: the role of project leader in software quality assurance. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 147-151. Johnson, B. W. and Aylor, J. H. (1988). Reliability and safety analysis in medical applications of computer technology. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 96-100. Knight, J. C. (1990). Issues of software reliability in medical systems. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 153-60.

182

JOHN M. LONG

Kokol, P., Stiglic, B., Zumer, V., and Novak, B. (1990). Software crisis and new development paradigms or how to design reliable medical software. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 137-4. Kothapalli, B. and Durdle, N. G. (1989). Multichannel data acquisition system for gastric motility. I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 130-4. Lal-Gabe, A. (1990). Hazards analysis and its application to build confidence in software test results. In Proceedings on the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 129-36. Lief, S. B. and Lief, R. C. (1992). Producing quality software according to medical regulations for devices. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 265-72. Livi, R. and Cagnoni, S. (1989). Time-qualified evaluation of blood pressure excess. I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 124-9. McAllister, D. F. and Nagle, H. T. (1988). Toward a fault-tolerant processor for medical applications. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 96-100. Ozdamar, 0. (1992). Development and marketing of automated electrophysiological diagnostic devices: Regulatory and safety issues. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 273. Poliac, M. (1992). Implementing neural networks, software, and hardware in medical products to meet regulatory requirements. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 274. Paulish, D. J. (1990). Methods and metrics for developing high quality patient monitoring system software. I n Proceeding of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 142-52. Reupke, W. A., Srinivasan, E., Rigterink, P. V., and Card, D. N. (1988). The need for a rigorous development and testing methodology for medical software. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 15-20. Santel, D., Trautmann, C., and Liu, W. (1988). The integration of a formal safety analysis into the software engineering process: an example from the pacemaker industry. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 152-154. Schneider, R. H. (1988). FDA Regulations of computer-based medical systems. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 3-5. Spector, W. B. (1990). How the insurance industry reviews new medical devices and technology for approval and reimbursement under indemnity and HMO contracts. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, p. 161. Wittenber, J. (1989). A report on the development of a medical device data language (MDDL). I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 140-151. Woll, R., Fitch, L. L., Clarkson, P. F., and Long, J. M. (1988). Interactive systems to assure informed patient consent. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 163-6. Zanetty, J. (1992). Marketing and regulatory issues for software in Europe. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 275.


183

C. AUTOMATED MEDICALRECORDS SYSTEMS Favre, E., Bertrand, D., and Pellegrini, C. (1992). A network distributed real-time data acquistion and analysis system. In Proceedings of the Fifth IEEE Symposium on ComputerBased Medical Systems 5, Computer Society Press, pp. 147-54. Kudrimoti, A. S. and Sanders, W. H. (1992). A modular method for evaluating the performance of picture archiving and communication systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 44-53. Martinez, R., Smith, D., and Trevino, H. (1992). Imagenet: A global distributed database for color image storage and retrieval in medical imaging systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 198. Rozewski, C. M., Yahnke, D., and Hart, A. (1992). A comprehensive abstraction tool for the out-patient setting. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 64-73. Saab, E., Fumai, N., Petroni, M., Roger, K., Collter, C., Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1992). Data modeling and design of a patient data management system in an intensive care unit. In Proceedings of the Fifth IEEE Symposium on ComputerBased Medical Systems 5, Computer Society Press, pp. 54-63.

D. CLINICAL ASSESSMENT AND RISK EVALUATION

Ayala, D. E. and Hermida, R. C. (1991). Predictable blood pressure variability in clinically healthy human pregnancy. In Proceedings of the Fourth IEEE Symposium on ComputerBased Medical Systems 4, Computer Society Press, pp. 54-61. Bernard, M., Bouchoucha, M., and Cugnenc, P. H. (1990). Analysis of medical signals by an automatic method of segmentation and classification without any a-priori knowledge. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 381-388. Blanco, C., Cuervas-Mons, V., Muiioz, A., Duefias, A., Gonzalez, M. A., and Salvador, C. H. (1992). Medical workstation for the management of the transplantation unit of a hospital. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 199-206. Bottoni, P., Cigada, M., de Guili, A., di Cristofaro, B., and Mussio, P. (1990). Feature-based description and representation of structures in an ECG. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 236-43. Chitsakul, K., Bouchoucha, M., Lee, J. W., and Cugnenc, P. H. (1991). New method of analysis of epigastric impedance measurement of assessment of gastric emptying and motility. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 10-17. Clay, W., Burke, D. J., and Sherman, C. (1989). Thermo cardiosystems’ HeartmateTM ventricular assist systems. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 158-63. Collet, C., Martini, L., Lorin, M., Masson, E., Fumai, N., Petroni, M., Malowany, A. S., Carnevale, F. A., Gottesman, R. D., and Rousseau, A. (1990). Real-time trend analysis for an intensive case unit patient data management system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 337-44. Cook, T. A., Fernald, K. W., Miller, T. K., and Paulos, J. J. (1990). A custom microprocessor for implantable telemetry systems. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 412-17.

184

JOHN M. LONG

Dooley, R. L., Dingankar, A., Heimke, G., and Berg, E. (1988). Orthopedic implant design, analysis, and manufacturing system. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 60-4. Durre, K. P. (1990). BrailleButler: A new approach to non-visual computer applications. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 97-104. Ebisawa, Y., Kaneko, K., Kojima, S., Ushikubo, T., and Miyakawa, T. (1991). Non-invasive eye-gaze position detection method used on manhachine interface for the disabled. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 374-80. Fernald, K. W., Cook, T. A., Miller, T. K. 111, and Paulos, J. J. (1991). A microprocessorbased implantable telemetry system. Computer 24(3), 23-30. Franchi, S., Imperato, M., and Prampolini, F. (1992). Multimedia perspectives for next generation PAC systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 156-69. Gerth, W. A., Montgomery, L. D., and Wu,Y. C. (1990). A computer-based bioelectrical impedance spectroscopic system for noninvasive assessment of compartmental fluid redistribution. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 446-53. Haddab, S., Bouchoucha, M., Cugnenc, P.-H., and Barbier, J. Ph. (1990). New method for electrogastrographic analysis. In Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 418-25. Hammer, G. S. (1990). Technology transfer standards for communication aids for disabled people. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 123-128. Hauck, J. A. (1988). The cardiac volume computer: The development of a real time graphics system using a commercial microcomputer host. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 56-9. Hermida, R. C., Fernandez, J. R., Ayala, D. E., Rey, A., Cervilla, J. R., and Fraga, J. M. (1991). Prediction of a chronobiologic index for neonatal cardiovascular risk estimation. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 62-9. Hermida, R. C., Garcia, L., Ayala, D. E., Fernandez, J. R., Mojon, A., Lodeiro, C., and Iglesias, T. (1991). Analysis of nonequidistant hybrid time series of growth hormone by multiple linear least-squares rhythmometry. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 18-25. Lee, C.-Y., Evens, M., Carmony, L., Trace, D. A., and Naeymi-Rad, F. (1991). Recommending tests in a multimembership Bayesian diagnositic expert system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 28-35. Himley, S., Butler, K., Takatani, S., Smith, W., and Nose, Y. (1989). Application of computers in development of a total artificial heart. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 164-8. Hsieh, J. and Ucci, D. R. (1991). Design and modeling of CT systems with GSPN. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 366-73. Hurwitz, B. E., Shyu, L.-Y., Reddy, S. P., Scheiderman, N., and Nagel, J. H. (1990). Coherent ensemble averaging techniques for impedance cardiography. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 228-35.


185

Kizakevich, P. N., Teague, S. M., Jochem, W. J., Nissman, D. B., Niclou, R.. and Sharma, M. K. (1989). Detection if isochemic response during treadmill exercise by computer-aided impedance cardiology. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 10-15. Lachance, J., Sawan, M., Pourmehdi, S., Duval, F. (1990). A computerized remote control for an implanted urinary prosthesis. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 112-6. Li, C. W. and Cheng, H. D. (1990). A mathematical model for pulmonary blood circulation. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 397-404. Liu, Z.-Q., Zhang, Y.-T., Ladly, K., Frank, C. B., Rangayyan, R. M., and Bell, G. D. (1990). Reduction of interference in knee sound signals by adaptive filtering. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 389-396. Luria, S. M., Southerland, D. G., and Stetson, D. M. (1991). A clinical trial of a computer diagnosis program for chest pain. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 97-104. MacGill, I. F., Cade, J. F., Siganporia, R., and Packer, J. S. (1990). VAD: Ventilation management in the I.C.U. In Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 345-9. Manolakos, E. S., Stellakis, H. M., and Brooks, D. H. (1991). Parallel processing for biomedical signal processing: Higher order spectral analysis-An application. Computer 24(3), 33-43.

Montgomery, L. D., Montgomery, R. W., Gerth, W. A., andGuisado, R. (1990). Rheoencephalographic and electroencephalographic analysis of cognitive workload. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 220-7. Myers, G. A., Sherman, K. R., and Stark, L. (1991). Eye monitor: Microcomputer-based instrument uses an internal model to track the eye. Compufer 24(3), 14-21. Nevo, I., Guez, A., Ahmed, F., and Roth, J. V. (1991). System theoretic approach to medical diagnosis. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 94-6. Paul, A. (1988). The travail involved in getting FDA approval.. . . An overview on what it took to get FDA approval of a medical device with computer technology (a recent experience). In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 28-9. Peindl, R. D., Hermann, M. C., Russell, K. R., and McBryde, A. M. (1990). Development of a microcomputer system for assessment of chronic compartment syndrome. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 438-45. Petroni, M., Collet, C., Fumai, N., Roger, K., Groleau, F., Yien, C. Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1991). An automatic speech recognition system for bedside data entry in an intensive care unit. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 358-65. Pourmehdi, S., Mouine, J., Sawan, M., and Duval, F. (1990). Microcomputer-based tactile hearing prosthesis. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 117-22. Prasad, B., Wood, H., Greer, J., and McCalla, G. (1989). A knowledge-based system for tutoring bronchial asthma diagnosis. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 40-5.

186

JOHN M. LONG

Purut, C. M., Craig, D. M., McGoldrick, J. P., and Smith, P. K. (1990). Determination of vascular input impedance in near real-time using a portable microcomputer. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 252-8. Quint, S. R., Messenheimer, J. A., Tennison, M. B., and Nagle, H. T. (1989). Assessing autonomic activity from the EKG related to seizure onset detection and localization. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 2-9. Rey, H. R., Han, S. A., Higgins, A., Rosasco, K., Peisner, D., and James, L. S . (1989). Computer prediction of neonatal outcome and comparison with assessments by physicians and midwives. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 16-24. Roger, K., Collet, C., Fumai, N., Petroni, M., Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1992). Nursing workload management for a patient data management system. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 216-23. Satti, J. A., Westervelt, F. H.,and Ragan, D. P. (1991). A proposed parallel architecture for 3D dose computation in radiation therapy treatment plan. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 258-62. Sawan, M., Duval, F., Pourmedhdi, S., and Mouine, J. (1990). A new multichannel bladder stimulator. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 190-6. Shaw, R., Crisman, E., Loomis, A., and Laszewski, Z. (1990). The eye wink control interface: Using the computer to provide the severely disabled with increased flexibility and comfort. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 105-1 1. Smith, K., Bearnson, G., Kim, H.,Layton, R., Jarmin, R., and Smith, J. (1990). Electronics for the electrohydraulic total artificial heart. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 517-24. Somerville, A. J. (1988). Failsafe design of closed loop systems. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 23-7. Srini, K., Babadi, A., Kumar, V., Kamana, S., Dai, Z., Lin, Q., and Gollapudy, C. (1992). Multimedia and its application in medicine. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 155. Synder, A. J., Weiss, W. J., Pierce, W. S., and Nazarian, R. A. (1989). Microcomputer control of permanently implanted blood pumps. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 154-7. Ta, N. P., Attikiouzel, Y., and Crebbin, G. (1990). Electrocardiogram compression using lapped orthogonal transform. I n Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 244-51. Taube, J. C., Pillutla, R., and Mills, J. (1988). Criteria for an adaptive fractional inspired oxygen controller. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 129.32. Wang, T. P. and Vagnucci, A. H.(1990). Peak detection and hormone production within a cortisol circadian cycle. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 405-11. Zanetti, J. M. and Salerno, D. M. (1991). Seismocardiography: A technique for recording precordial acceleration. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 4-9.


187

E. ARTIFICIAL INTELLIGENCEAND NEURAL NETWORKS Anabar, M. and Anabar, A. (1988). The “understanding” of natural language in CAI and analogous mental processes. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 112-7. Bankman, 1. N., Sigillito, V. G., Wise, R. A,, and Smith, P. L. (1991). Detection on the EEG K-complex wave with neural networks. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 280-7. Benachenhou, D., Cader, M., Szu, H., Medsker, L. Wittwert, C., and Garling, D. (1990). AIDS viral DNA amplification by polymerase chain reaction employing primers selected by A1 expert system and an ART neural network. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 504-1 1. Benaroch, L. M. and Chausmer, A. B. (1989). A new approach to computer directed insulin management systems: Diacomp. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 80-96. Bergeron, B. P. (1989). Challenges associated with providing simulation-based medical education. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 114-6. Bobis, K. G., Evens, M., and Hier, D. (1989). Automating the knowledge acquisition process in medical expert systems. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 81-8. Bronzino, J . D., Morelli, R. A., and Goethe, J. W. (1991). Design of an expert system for monitoring drug treatment in a psychiatric hospital. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 219-25. Chan, K. C. C., Ching, J. Y., and Wong, A. K. C. (1992). A probabilistic inductive learning approach to the acquisition of knowledge in medical expert systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 572-81. Chang, R.-C., Evens, M., Rovick, A. A., and Michael, J. A. (1992). Surface generation in a tutorial dialogue based on analysis of human tutoring sessions. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 554-61. Chu, W. W., leong, I. T., Taira, R. K., and Breant, C. M. (1992). A temporal evolutionary object-oriented data model for medical image management. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 84-91. Cios, K. J., Shin, I., and Goodenday, L. S. (1991). Using fuzzy sets to diagnose coronary artery stenosis. Computer 24(3), 57-63. Conigliaro, N., Di Stefano, A., and Mirabella, 0. (1988). An expert system for medical diagnosis. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 75-81. Duerer, H., Wang, K., Wischnewsky, M. B., Zhao, J., and Hommel, J. (1992). Intensive help-A knowledge-based systems for intensive care units. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 335-44. Dutta, S. (1988). Temporal reasoning in medical expert systems. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 118-22. Eberhart, R. C., Dobbins, R. W., and Webber, W. R. S. (1989). Casenet: A neural network tool for EEG waveform classification. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 60-8.

188

JOHN M. LONG

Eberhart, R. C., Dobbins, R. W., and Hulton, L. V. (1991). Neural network paradigm comparisons for appendicitis diagnoses. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 298-304. Eberhart, R. C. and Dobbins, R. W. (1990). Neural network performance metrics for biomedical applications. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 282-9. Egbert, D. D., Kaburlasos, V. G., and Goodman, P. H. (1989). Invariant feature extraction for neurocomputer analysis of biomedical images. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 69-73. Fu, L.-M. (1990). Refinement of medical knowledge bases: A neural network approach. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 290-307. Gage, H. D. and Miller, T. K. (1990). Mapping networks for analysis of the forced expired volume signal. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 366-73. Hadzikadic, M. (1992). Medical diagnostic expert systems: Performance vs. representation. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 562-71. Hoogendoorn, E. L., Langton, K. B., Solntseff, N., and Haynes, R. B. (1991). A PC-based interface for an expert system to assist with preoperative assessments. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 251-7. Hughes, C. (1988). Exploratory and directed analysis of medical information via dynamic classification trees. In Proceedings of the Symposium on the Engineering of ComputerBased Medical Systems 1, Computer Society Press, pp. 107-11. Hwang, G. J. and Tseng, S. S. (1990). Building a multi-purpose medical diagnosis system under uncertain and incomplete environment. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 321-8. Irani, E. A., Long, J. M., and Slagle, J. R. (1988). Experimenting with artificial neural networks-artificial intelligence mini-tutorial, part 111. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 45-6. Irani, E. A., Matts, J. P., Hunter, D. W., Slagle, J. R., Kain, R. Y.,and Long, J. M. (1990). Automated assistance for maintenance of medical expert systems: The POSCH A1 Project. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 275-81. Kim, J. J. and Bekey, G. A. (1992). Adaptive abstraction in expert systems for medical diagnosis. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 345-52. Koch, P. and Leisman, G. (1990). A continuum model of activity waves in layered neuronal networks: Computer models of brain-stem sizures. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 525-31. Kowarski, D. (1990). A low-cost personal computer-based radiology diagnostic expert system and image and text database. In Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 298-305. Krieger, D., Burk, G., and Sclabassi, R. J. (1991). Neuronet: A distributed real-time system for monitoring neurophysiologic function in the medical environment. Computer 24(3), 45-55.

Kuhn. K.. Roesner, D., Zemmler, T., Swobodnik, W., Janowitz, P., Wechsler, J. G., Heinlein, C., Reichert, M.,Doster, W., and Ditschuneit, H. (1991). A neural network


189

expert system to support decisions in diagnostic imaging. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 244-50. Leung, L. A., Slagle, J. R., Finkelstein, S. M., and Warwick, W. J. (1988). Temporal reasoning in medicine with an example in cystic fibrosis patient management-artificial intelligence mini-tutorial, part 111. In Proceedings of the Symposium on the ComputerBased Medical Systems 1, Computer Society Press, pp. 43-4. Lin, W. and Tang, J.-X. (1991). DiagFH: An expert system for diagnosis of fulminant hepatitis. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 330-7. L.ong, J. M., Slagle, J. R., Wick, M. R., Irani, E. A., Weisman, P. R., Matts, J. P., Clarkson, P. F., and POSCH Group (1988). Lessons learned while implementing expert systems in the real world of clinical trials data analyses: The POSCH A1 Project. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 167-73. Lusth, J. C., Bhatt, A. K., and Meehan, G. V. (1989). An embedded knowledge-based system for interpreting microbiology data. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 76-80. Mattson, E. J., Thomas, M. M., Trenz, S. A., and Cousins, S. B. (1990). The WIC advisor: A case study in medical expert system development. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 329-36. Mayer, G., Yamamoto, C., Evens, M., and Michael, J. A. (1989). Constructing a knowledge base from a natural language text. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 98-107. McMillan, M. M. and Walter, D. C. (1989). Automated medical student-A computational model of skill acquistion and expert performance. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 108-1 1. Ozdamar, O., Yaylali. I., Jayakar, P., and Lopez, C. N. (1991). Multilevel neural network system for EEG spike detection. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 272-9. Pan, B. and Abdelhamied, K. (1992). Application of artificial neural networks for automatic measurement of micro-bubbles in microscopic images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 105-14. Petrucci, K. E., Petrucci, P., Dobbs, G., Baranoski, B., and McQueen, L. (1991). The clinical evaluation of UNIS: An expert system for the long-term care of patients with urinary incontinence. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 236-43. Poli, R., Cagnoni, S., Livi, R., Coppini, G., and Valli, G. (1991). A neural network expert system for diagnosing and treating hypertension. Computer 24(3), 64-71. Poliac, M. 0..Zanetti, J. M., Salerno, D., and Wilcox, G. L. (1991). Seismocardiogram (SCG) interpretation using neural networks. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 288-95. Sagerer, G. and Niemann, H. (1988). An expert system architecture and its application to the evaluation of scintigraphic image sequences. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 82-8. Schellenberg, J. D., Naylor, W. C., and Clarke, L. P. (1990). Application of artificial neural networks for tissue classification from multispectral magnetic resonance images of the head. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 350-7.

190

JOHN M. LONG

Schizas, C. M., Pattichis, C. S., Livesay, R. R., Schofield, I. S., Lazarou, K. X., and Middleton, L. T. (1991). Unsupervised learning in computer aided macro electromyography. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 305-12. Shapiro, L. and Stetson, D. M. (1990). A general purpose shell for research assessment of bayesian knowledge bases supporting medical diagnostic software systems. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 261-14. Stetson, D. M., Eberhart, R. C., Dobbins, R. W., Pugh, W. M., and Gino, A. (1990). Structured specification of a computer assisted medical diagnostic system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 374-380. Strand, E. M. and Johns, W. T. (1990). A neural network for tracking the prevailing heart rate of the electrocardiogram. I n Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 358-65. Tonkonogy, J. M. and Armstrong, J. (1988). Diagnostic algorithms and clinical diagnostic thinking. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 71-4. Wang, C. H.and Tseng, S. S. (1990). A brain tumor diagnostic system with automatic learning abilities. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 313-20. Wilson, K., Webber, W. R. S., Lesser, R. P., Fischer, R. S., Eberhart, R. C., and Dobbins, R. W. (1991). Detection of epileptiform spikes in the EEG using a patient-independent neural network. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 264-71. Woo, C. W., Evens, M., Michael, J., and Rovick, A. (1991). Dynamic instructional planning for an intelligent physiology tutoring system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 226-33. Wreder, K., Park, D. C., Adouadi, M. and Gonzalez-Arias, S. M. (1992). Stereotactic surgical planning using three-dimensional reconstruction and artificial neural networks. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 612-5. Yoon, Y. O., Brobst, R. W., Bergstresser, P. R., and Peterson, L. L. (1990). Automated generation of a knowledge-base for a dermatology expert system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 306-12. Zhang, Y.,Evens, M., Michael, J. A., and Rovick, A. A. (1990). Extending a knowledge base to support explanations. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 259-66.

F. IMAGING SYSTEMS de Graaf, C. N., Koster, A. S. E., Vincken, K. L., and Viergever, M. A. (1992). A methogology for the validation of image segmentation method. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 17-24. Geckle, W. J. and Szabo, Z. (1992). Physiological Factor Analysis (PFA) and parametric imagining of dynamic PET images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 9- 16.


191

Hemler, R. F., Koumrian, T., Adler, J., and Guthrie, B. (1992). A three dimensional guidance system for frameless stereotactic neurosurgery. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 309-14. Pearlman, W. A. and Abdel-Malek, A. (1992). Medical image sequence interpolation via hierarchical pel-recursive motion estimation. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 232-41. Ramirez, M., Mitra, S., Kher, A., and Morales, J. (1992). 3-D digital surface recovery of the optic nerve head from stereo fungus images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 284-91. Shah, U. B. and Nayar, S. K. (1992). Extracting 3-D structure and focused images using an optical microscope. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 292-301. Stockett, M. H. and Soroka, B. J. (1992). Extracting spinal cord contours from transaxial MR images using computer vision techniques. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 1-8. Tavakoli, N. (1992). Analyzing information content of MR images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 224-3 I . Zhao, W., Chang, J. Y.,Smith, D. M., and Ginsberg, M. D. (1992). Disparity analysis and its application to three-dimensional reconstruction of medical images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 302-8. 0 . MEDICAL DEVICES Abousleman, G. P., Jordan, R., Asgharzadeh, A., Canady, L. D., Koechner, D., and Griffey, R. H. (1990). A novel eigenvector-based technique for spectral estimation of time-domain data in medical imaging. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 426-31. Anbar, M. and D’Arcy, S. (1991). Localized regulatory frequencies of human skin temperature derived from analysis of series of infrared images. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 184-91. Asgharzadeh, A., Jordan, R., Aboulesman, G., Canady, L. D., Koechner, D., and Griffey, R. H. (1990). Applications of adaptive analysis in magnetic resonance imaging. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 75-80. Buchanan, J. and Thompson, B. G. (1990). Opportunities for the use of broad-band packetswitched data networks for direct patient care. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 9-13. Canady, L. D., Jordan, R., Asgharzadeh, A., Abousleman, G., Koechner, D., and Griffey, R. H. (1990). Time-domain analysis of magnetic resonance spectra and chemical shift images. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 432-7. Cheng, H. D., Li, X. Q., Riordan, D., Scrimger, J. N., Foyle, A., and MacAulay, M. A. (1991). A parallel approach to tubule grading in breast cancer lesions and its VLSI implementation. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 322-9. Cook, G. B. (1989). M.L.I. databases with the words of clinical medicine. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 26-8.

192

JOHN M. LONG

Culver, T. L.and Cheng, S. N.-C. (1990). Computer simulation of a brain slice using fractals. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 512-6. Davis, D. T., Hwang, J.-N., and Lee, J. S.-J. (1991). Improved network inversion technique for query learning: Application to automated cytology screening. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 313-20. Dayhoff, R. E., Kuzmak, P. M., Maloney, D. L., and Shepard, B. M. (1991). Experience with an architecture for integrating images into a hospital information system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 121-8. Ellingtion, W. W. (1990). A medical care application using the integrated services digital network. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 24-32. Frieder, 0. and Stytz, M. R. (1990). Dynamic detection of hidden-surfaces using a MIMD multiprocessor. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 44-51. Fumai. N.. Collet, C., Petroni, M., Roger, K., Lam, A., Saab, E., Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1991). Database design of an intensive care unit patient data management system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 78-85. Fumai, N., Collet, C., Petroni, M., Malowany, A. S., Carnevale, F. A., Gottesman, R. D., and Rousseau, A. (1990). The design of a simulator for an intensive care unit patient data management system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 454-61. Greenshields, I. R., DiMario, F., Ramsby, G., and Perkins, J. (1991). Determination of ventricular structure from multisignature MR images of the brain. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 135-44. Guan, S.-Y. and McCormick, B. H. (1991). Design of a 3D deformable brain atlas. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 113-30. Harris, M., Workman, K. B., Arrildt, W. D., and Leo, F. P. (1991). Benefits of using microcomputers to monitor imaging equipment service in a radiology department. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 178-82. Hiriyannaiah, H. P., Synder, W. E., and Bilbro, G. L. (1990). Noise in reconstructed images in tomography parallel, fan and cone beam projections. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 81-8. Jasiobedzki, P., McLeod, D., and Taylor, C. J. (1991). Detection on non-perfused zones in retinal images. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 162-9. Koechner, D., Rasure, J., Griffey, R. H., and Sauer, T. (1990). Clustering and classification of multispectral magnetic resonance images. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 32-7. Kuhn, K., Doster, W., Roesner, D., Kottmann, P., Swobodnik, W., and Ditschuneit, H. (1990). An integrated medical workstation with a multimodal user interface, knowledgebased user support, and multimedia documents. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 469-78.


193

Kurak, C. W., Jr. (1991). Adaptive histogram equilization: A parallel implementation. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 192-9. Laxer, C., Ideker, R. E., Smith, W. M., Wolf, P. D., and Simpson, E. V. (1990). A graphical display system for animating mapped cardiac potentials. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 197-204. Levine, S. D. (1989). Development of a PC-based clinical information system suitable for small-group medical practice. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 52-5. Liu, Z.-Q., Rangayyan, R. M., and Frank, C. B. (1990). Analysis directional features in images using gabor filters. I n Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 68-74. Losee, R. M. and Moon, S. B. (1990). Analytic prediction of medical document retrieval system performance. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 477-83. Ma, H.-N. N., Evens, M., Trace, D. A., and Naeymi-Rad, F. (1990). An intelligent progress note system for medas (A bayesian medical expert system). I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 484-91. MacAulay, M. A.. Scrimger, J. N., Riordan, D., Foyle, A., and Cheng, H. D. (1991). An interactive graphics package with standard examples of the Bloom and Richardson histological grading technique. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 108-12. Michael, P. A., Kanich, R. E., Hall, C. P., and Ruche, S. H. (1990). Computerized clinical histories: The development of an HIS subsystem in a community hospital. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 462-8. Mussio, P., Pietrogrande, M., Bottoni, P., Dell’Oca, M., Arosio, E., Sartirana, E., Finanzon, M. R., and Dioguardi, N. (1991). Automatic cell count in digital images of liver tissue sections. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 153-60. Nemat, M., Martinez, R., Osada, M., Tawara, K., and Komatsu, K. (1990). A high speed integrated computer network for picture archiving and communication system (PACS). I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 14-23. Nevo, I., Roth, J. V., Ahmed, F., and Guez, A. (1991). A new patient’s status to facilitate decision making in anesthesia. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 88-93. Nilsson, A. A. and Khanmoradi, H. (1990). A queuing model of picture archiving and communication systems (PACS) with a hierarchy of storage. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 1-8. Olagunju, D. A. and Goldenberg, 1. F. (1989). Clinical databases: Who needs one (criteria analysis). I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 36-9. Perkowski, M., Wang, S., Spiller, W. K., Legate, A., and Pierzchata, E. (1990). Ovulocomputer: Application of image processing and recognition to mucus ferning patterns. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 52-9.

194

JOHN M. LONG

Rao, N. (1990). Frequency modulated pulse for ultrasonic imaging in an attenuating medium. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 89-96. Reilly, R. E., Amirinia, M. R., and Soames, R. W. (1991). A two-dimensional imaging walkway for gait analysis. I n Proceedings of the Fourth IEEE Symposium on ComputerBased Medical Systems 4, Computer Society Press, pp. 145-52. Robert, S., Prakash, S., Naeymi-Rad, F., Trace, D., Carmony, L., and Evens, M. (1991). MEDRIS: The hypermedia approach to medical record input-software engineering techniques for developing a hypermedia system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 44-51. Rogers, E., Arkin, R. C., and Baron, M. (1991). Visual interaction in diagnostic radiology. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 170-7. Roggio, R. F. (1991). Performance resource profiling using a computer-based number discrimination test system. In Proceedings of the Fourth IEEE Symposium on ComputerBased Medical Systems 4, Computer Society Press, pp. 36-43. Roy, S.C., Krakow, W. T., Sacks, B., Batchelor, W. E., Bohs, L. N., and Barr, R. C. (1990). The design and verification of a VLSl chip for electrocardiogram data compression. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 170-7. Samuels, W.B., Evens, M., Naeymi-Rad, F., Rosenthal, R., Naeymirad, S., Lee,C.,Trace, D., and Carmony, L. (1989). Extending the feature dictionary to support sophisticated feature interaction and classification. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 29-35. Sanders, J. A. and Orrison, W. W. (1992). Design and implementation of a clinical MSI workstation. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 138-46. Santago, P., Link, K. M., Snyder, W. E., Rajala, S. A., and Worley, J. S . (1990). Restoration of cardiac magnetic resonance images. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 60-7. Schwartz, M. D., Irani, P., Smith, 1. P., Ledford, C., and Funnel, W. R. J. (1988). Labor and delivery information system. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 139-43. Smith, M. F., Jaszczar, R. J., Floyd, C. E., Jr., Greer, K. L., and Coleman, R. E. (1990). Interactive visualization of three-dimensional aspect cardiac images. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 213-9. Srinivasa, N., Ramakrishnan, K. R., and Rajgopal. K. (1988). Adaptive noise canceling in computed tomography. I n Proceedings of the Symposium on the Engineering of ComputerBased Medical Systems 1, Computer Society Press, pp. 65-8. Strickland, T. J., Jr. (1991). Development of an information system to assist management of critically ill patients. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 70-7. Stytz, M. R., Frieder, G., and Frieder, 0. (1988). On the exploitation of a commercially available parallel processing architecture for medical imaging. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 49-55. Syh, H. W.,Chu, W. K.. and McConnell, J. R. (1991). A microcomputer based system for MR imaging analysis of brain for hepatic encephalopathy. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 130-4.


195

Tavakoli, N. (1991). Lossless compression of medical images. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 200-7. Tompkins, W. J . and Luo, S. (1990). Twelve-lead simulation for testing interpretive ECG machines. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 178-81. Wada, T. (1990). Akaike’s model versus conventional spectral analysis as tools for analyzing multivariate clinical time series. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 532-9. Wang, G.-N., Evens, M., and Hier, D. B. (1990). On the evaluation on LITREF: a PC-based information retrieval system to support stroke diagnosis. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 548-55. Wang, G.-N., Evens, M., and Hier, D. B. (1989). LITREF-A microcomputer based information retrieval systems supporting stroke diagnosis, design, and development. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 46-5 I . Wu, 2 . and Guo, Y. (1990). A microcomputer based image analysis system for the left ventricle and the coronary artery. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 205-12. Zhao, D. and Trahey, G. E. (1990). Two algorithms for correcting phase aberration in a computer-controlled ultrasound imaging system. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 38-43.


Algorithm-Specif ic Parallel Processing with Linear Processing Arrays JOSE A. B. FORTES School of Electrical Engineering Purdue University West Lafa yette, Indiana

BENJAMIN W. WAH Coordinated Science Laboratory University of Illinois Urbana, Illinois

WElJlA SHANG Center for Advanced Computer Studies University of Southwestern Louisiana Lafa yette, Louisiana

KUMAR N. GANAPATHY Coordinated Science Laboratory University of Illinois Urbana, Illinois

1.

2. 3. 4. 5.

6. 7.

lntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . 1 General Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Algorithm Model . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Relation to Nested-Loop Programs . . . . . . . . . . . . . . . . . . The Mapping Problem . . . . . . . . . . . . . . . . . . . . . . . . . . Computation-Conflict-Free Mappings . . . . . . . . . . . . . . . . . . . Time-Optimal Mappings without Computational Conflicts . . . . . . . . . . . Parameter-Based Methods . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Design Method . . . . . . . . . . . . . . . . . . . . . . . . . . . Applications of the General Parameter Method . . . . . . . . . . . . . . . Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ADVANCES IN COMPUTERS, VOL. 38

197

198 199 199 202 204 207 21 1 217 219 222 226 230 241 243

Copyrighl 0 1994 by Academic Press, Inc. All rights of reproduction in any form reserved. ISBN 0-12-0121 38-7

198

JOSE A. B. FORTES et

01.

1. Introduction Many applications of digital signal processing, scientific computing, digital communications, and control are characterized by repeated execution of a small number of computationally intensive operations. In order to meet performance requirements it is often necessary to dedicate hardware with parallel processing capabilities to these specialized operations. Processor arrays, due to their structural regularity and consequent suitability for VLSI implementation, are frequently used for this purpose. Regardless of whether their structures are fixed or designed to match algorithm characteristics, it is important to understand how to map these algorithms into processor arrays. This article discusses systematic ways of deriving such mappings. The techniques are illustrated by examples involving linear arrays of processors (one-dimensional processor arrays); however, unless otherwise stated, the results can be extended to arrays of arbitrary dimension. Several linear arrays have been implemented for specific applications as well as for “wide-purposey’ computing (Valero et al., 1991; Fortes et al., 1992). They are easier to build and program than arrays of higher dimensions. In particular, the connections among neighboring processors can be made very fast and, therefore, provide large communication bandwidths. For example, physical links in Warp (Annaratone et al., 1987; Menzilcioglu et al., 1989; Baxter et al., 1990) can serve several virtual channels capable of communication among neighboring cells. This is also the case for algorithm-specific linear arrays but, for design simplicity, each link may be used to transfer only a data item instead of being multiplexed among several of them. In this paper, we present two methods of systematically mapping recurrent computations on such linearly connected processor arrays. The first method guarantees that no more than one computation is assigned to execute in any processor at any given time but assumes enough data channels between processors for the necessary data communication. The second method considers, in addition to computational conflicts, the possibility of communication conflicts and guarantees that individual links are not required to pass more than one data item at a time. The techniques discussed here apply to algorithms described as recurrences, either by mathematical expressions or by high-level language programs. Section 1.2 provides a precise characterization of the class of algorithms for which our results are strictly valid. However, more general classes of algorithms and programs can also be mapped using similar techniques either in a piecewise manner or as heuristics to guide the search for good designs.

ALGORITHM-SPECIFIC PARALLEL PROCESSING

199

Once algorithms are characterized as sets of computations ordered by data dependences, the problem of mapping algorithms to processor arrays becomes equivalent to that of finding a function that assigns a processor and an instant of time to each computation of that algorithm. This function must have certain properties that guarantee computational correctness and efficient usage of processing resources. The techniques described in this paper include techniques and methods of mapping parameterized representations of the algorithms to linearly connected architectures of interest. Sections 2, 3, and 4 discuss the dependence-based method (DM) and techniques of selecting linear mappings. Sections 5 and 6 present an alternative approach, called the generalized parameter-based method (GPM), and show how it relates to the dependence-based method. Optimization procedures used with both approaches are described along with examples. Sections 2-4 are partially based on the work of Shang and Fortes (1992), and Sections 5 and 6, on that of Ganapathy and Wah (1992a,b).

1.1 General Notation Arrows are used to denote vectors, while the transpose of a vector v'or of a matrix M are denoted Nj - 4 for some j ) would allow the identification of an optimal mapping by solving an integer linear programming problem. It turns out that if the allocation matrix S is known, fi, j = 1, ...,n, are indeed linear functions of q , 1 = 1, ..., n. This is illustrated by the following example.

Example 3.1. Consider the matrix-multiplication algorithm. If the space allocation matrix S is chosen as [1, - 1,01, the mapping matrix T and its conflict vector Yare T = [

711

-' 712

'1,

713

?=A[

713

7r3 -@I

+ 712)

It is clear that Ty' = 6. If II is chosen such that n3 # 0 or 71, r ~ n k ( T=) n - 1 = 2.

1.

(3.3)

+ n2 # 0, then

Consider now conditions for the general case where m I n - 2. In these mappings, T E Z ( m + l ) x ,n T =

[ i],

ll E Z l x n , and S E Zmx". Consider

again (3.1). If rank(T) = m + 1, there are n - (rn + 1) linearly independent solutions of (3.1). Let q1,.. ., Y , , - ( ~ + ~ )be the linearly independent integral solutions of (3.1) whose entries are relatively prime. All solutions y' of (3.1) can be represented as the following linear combinations: -t

v,

r'= A l r i +

-t

+ An-(m+l)Yn-(m+l)*

(3.4)

Clearly, , ..., Y , - ( ~ + are conflict vectors of T. In general, the mapping matrix T has more than n - (rn + 1) conflict vectors when m c n - 2 because a linear combination of these n - (m + 1) conflict vectors may represent a different integral vector, whose entries are relatively prime, and, therefore, is another conflict vector of T. This new conflict vector may or may not be feasible. Thus, unlike the mapping matrix T E Z ( n - l ) x -t


209

described earlier in this section, we cannot guarantee that all conflict vectors of T are feasible even if the n - ( m + 1) linearly independent solutions 6, j = 1, ..., n - ( m + I), of the equation Ty' = 6 are all feasible. This is illustrated by the following example.

Example 3.2. Consider the algorithm with the four-dimensional index set in (2.6) and mapping matrix T in (2.7). Let = [0,8, - 1, OITand = [0, 0, 1 , --8lT. Clearly, Ty', = TF2 = 6, and and y2 are linearly independent and are feasible conflict vectors of T. Let 7 = y'1/8 + j$/8 = [0, 1 , 0, - 1IT. The vector y'is also a solution of the equation Ty' = 6 whose entries are relatively prime and, therefore, is a conflict vector of T. Because none of the absolute values of the entries of y' is greater than the corresponding dimension size Nj - 5 = 7, y'is not feasible in the sense discussed at the beginning of the present section. Therefore, as already mentioned, for a given mapping matrix T E Z ( m + l ) x nwith m < n - 2, there are possibly more than n - ( m + 1) conflict vectors, and T may not be conflict free even if there are n - ( m + 1) linearly independent feasible conflict vectors of T.

v2

Example 3.2 brings out the difficulties involved in making all the conflict vectors of a mapping matrix T feasible. Nonfeasible conflict vectors can result from rational linear combinations of the n - ( m + 1) linearly inde. .., Y , , - ( ~ +,) (as is illustrated by y' = pendent feasible conflict vectors 71/8 + ?2/8 in Example 3.2). However, there is another way of selecting the n - ( m + 1) linearly independent conflict vectors of T such that the constants A j , j = 1 , ...,n - ( m + l), in (3.4) must be integral in order for ? t o be integral. As we now explain, the Hermite normal form (Schrijver, 1986, p. 45) of the mapping matrix T can be used to achieve this. For any matrix T E Z ( m + l ) xwith n runk(T) = m + 1 , there exists a unimodular2 matrix U E Z n X nsuch that TU = H = [L, 01, where 0 denotes a zero-entry matrix, and L E Z ( m + l ) x ( m +is' ) a nonsingular and lower triangular matrix whose diagonal elements are positive and each of whose diagonal elements is the maximum of all the absolute values of the elements in that same row (Schrijver, 1986, p. 45). The matrix H is called the Hermite normal form of T. For the purpose of this paper it is enough to know that T can be transformed into a lower triangular matrix [L, 01 by right multiplication of a unimodular matrix U . It is not required that each diagonal element of L be positive or be the maximum of all the absolute values of the elements in that same row. -I

' A matrix is unitnodular if and only if it is integral and the absolute value of its determinant is unity.

210

JOSE A. 6.FORTES e t a / .

For a given mapping matrix T, let H be the corresponding Hermite normal form and T = HV, where V = U-’, U = [GI, .;, G,,],+and V = [GI , ..., ;,I. Equation (3,l) can be rewritten as HVy’ = 0. Let /3 = Vy’ = [PI,...,pnlTand y’ = (I/? Then . the following theorem is true (Shang and Fortes, 1992). Theorem 3 . I . 1. H B = o ’ i f a n d o n l y i f p , ,...,B,+, are+allzero. 2. The vector f is integral if and only if8 is integral.

3. The vector y’is a conflict vector of the mapping matrix T if and only if

(3.5)

where pi,j = m + 2, ...,n, are arbitrary integers that are relatively prime and not all zero. What Theorem 3.1 implies is that all the conflict vectors of the mapping matrix T can be represented by ( 3 . 9 , where @ m + 2 , ...,& are arbitrary integers that are relatively prime and not all zero. Notice that a nonintegral value of any one of the Bm+2,..., pn results in a nonintegral vector according to Theorem 3.1. Hence, in this representation, we can avoid the case where a new conflict vector of T is obtained by a nonintegral linear combination of the n - ( m + 1) linearly independent solutions of (3.1).

Example 3.3. The Hermite normal form of the mapping matrix T in (2.7) is T U = H = F 01 0 0 0], 0 where 1 - 1 0

U=[:

0

0

0 -8 - 1

~

~

1

and

0 V=U-’=[ 0

1 1 0

8

1 8 1

0 -1 -8

’ 1 0 0,

All the conflict vectors of T are integral combinations of the third and fourth columns of the matrix U as follows:

21 1


? = [ - a -;I[: 0

0

, 14

where p3 and /I4 are integers that are relatively prime and are not both zero. The Hermite normal form of T provides a convenient representation of all conflict vectors. The following two theorems provide necessary conditions for conflict-free computations based on the entries of the matrix U. This matrix can be computed in polynomial time (Kannan and Bachem, 1979) and when the allocation matrix S is known, it is possible to express the entries of I/ as functions of the time schedule n. Theorem 3.2, Let vi,jbe the entry of a matrix V a t the ith row and the j t h column. If the mapping matrix T is conflict free, at least one of its first m + 1 entries of each and every column of V must be nonzero; that is, the follo wing conditions hold:

( V I ,f~ O V V 2 , i

# O V * * . V V m + ~ ,#I O)A

(V1.2

f 0V

(Vl,,

# 0 v V 2 , , # 0 v *..

...

Theorem 3 . 3 .

V2,2

f OV

*.*

V

Vm+1,2

v V,+I,"

# 0) A

(3.6)

f 0). +

If the mapping matrix T is feasible, iim+2,..., u, are

feasible conflict vectors. It is also possible to derive sufficient conditions for conflict-free computations based on the Hermite normal form of T (Shang and Fortes, 1992). However, necessary and sufficient conditions for conflict-free mappings are much harder to derive and remain an open problem when m < n - 2. Instead, a procedure reported in our previous work (Yang et al., 1992) can be used to test for computational conflicts. This procedure is based on the fact that it is possible to reduce the problem of conflict detection to that of checking if a convex polyhedron contains integral points.

4. Time-Optimal Mappings without Computational Conflicts We now present two different approaches for selecting optimal time mappings l7 given a space allocation matrix S. In other words, we show how to schedule the computations of an algorithm after they have been allocated

21 2

JOSE A. B. FORTES e t a / .

to processors. One approach employs a method we have developed earlier (Li and Wah, 1985; O'Keefe et al., 1991; O'Keefe and Fortes, 1986) to intelligently search a solution space in an efficient manner. A second method uses integer linear programming augmented with heuristics, which we illustrate in this section using as an example the matrix-multiplication algorithm. We now briefly discuss the first approach and explain in more detail in Sections 5 and 6 when we present the parameter method. The fact that the execution time of a schedule II is a monotonic function of the absolute values of the entries of H can be used to devise an efficient search of the solution space. The basic idea is to enumerate all the possible values of H in increasing order of the sum of the absolute values of its entries (this assumes the index-set bounds are the same for every dimension; simple modifications can be made to deal with the general case [Shang and Fortes, 19921). This search method guarantees that the first feasible solution is optimal because of the monotonic increase in execution time with increasing absolute values of the entries of H. By feasible, we mean that T satisfies the conditions of causality, routability, freedom of computational conflicts, and rank compatibility. As discussed in the previous subsection, freedom of computational conflicts can be easily tested when T is (n - 1) x n in O(n) time. In the general case this method has complexity O((2N + 1)"), where N = min(Nj - 4:j = 1, ..., n). More efficient search methods may make use of the necessary conditions provided in the theorems in the last subsection. We have studied several techniques of reducing the search complexity (Yang et al., 1992). Examples include starting the search at the lower bound of the sum of the absolute values of H instead of when the sum is one. The problem of selecting an optimal schedule for the case T E Z("-l)xn can be formulated as an integer programming problem as follows. n

minf=

c Injl(Nj - 4)

(4.1)

j= 1

(1) IID

> 0' W

subject to

1k,,j 5 ll4,j = 1, ..., r i= 1 (3) existingj E (1, ...,n),Ifi(n,,..., n,)l > Nj - 4 (4) n E ZLxn (2) SD = PK and

where T=

[ ;Fly

(4.2)


21 3

S and P are given, andfi, j = 1 , ..., n, are as defined in (3.2). As discussed previously, constraint 3 guarantees freedom of computational conflicts and implies that rank(T) = rn + 1 . Constraint 2 is not required if a new processor array is specially designed for the algorithm, or yields linear constraints if P is known. Constraint 3 in (4.2) is linear because T Z(n-I)xn , i.e., the dimension of the algorithm is reduced by one. The formulation in (4.1) and (4.2) is, therefore, an integer piecewise linear programming problem if, as is in the next example (4.1), constraint 1 in (4.2) requires xi > 0, j = 1 , ..., n. This relaxes the absolute-value requirement in the objective function in (4.1). Further, this integer piecewise linear programming problem can be converted to a piecewise linear programming problem for some applications, as illustrated in Example 4.1. We can add one more constraint, that gcd(f,, . . . , f n ) = 1 , where 4, j = 1, ..., n, as defined in (3.2), to the formulation in (4.1) and (4.2) to guarantee that the greatest common divisor of the resulting conflict vector will be unity. However, this makes the problem more difficult t o solve. Hence, we ignore this constraint and check the feasibility of the conflict vector of the resulting solution after the solution has been found. In other words, the conflict vector may not be feasible after the common factor of its entries is removed (Shang and Fortes, 1992). In general, integer programming problems are NP-complete (Schrijver, 1986, p. 245). However, there are two approaches in which this optimization problem may be solved efficiently. First, for each fixed natural number n, there exists a polynomial-time algorithm that solves the optimization problem in time that is a polynomial function of the number of constraints and a logarithmic function of the problem-size variables Nj - 4 , j = 1, ..., n (Schrijver, 1986, p. 259). Since in our case, n, the dimension of the recurrence equation, and the number of constraints are relatively small, the optimization problem formulated in (4.1) and (4.2) can be solved efficiently. Second, given that the objective function is convex, the optimal solution to the integer linear programming problem of (4.1) and (4.2) is the same as that of the corresponding linear programming problem (with integrality constraints removed) if the solution at the extreme points are integral. This is the method we have used in finding the optimal solution in the following example.

Example 4.1 . Consider the matrix-multiplication algorithm and space allocation matrix S = [ l , - 1 , O l . Its dependency matrix D and index set J are shown in (1.10). To satisfy constraint 1 in (4.2), each entry of the linear schedule vector ll must be positive, i.e., nj z 1, j = 1 , .. ., 3. Therefore, the problem of finding an optimal linear schedule vector for the matrix-multiplication algorithm is formulated as an integer piecewise linear

214


programming problem: min f = N(al + a2 + n3)

‘i

(1) nj’

subject to

l , j = 1,2,3 W

(2) SD

=

-t

ki,j In d j , j = 1,

PK and

..., 3

(4.3)

i= 1

(3) a3 L N, or a, + a2 L N (4)

n E ZIX3

where the inequalities in constraint 3 are derived in Example 3.1 and shown in (3.3). A linear systolic array is to be designed specially for the matrixmultiplication algorithm. Thus, constraint 2 in (4.3) can be ignored. Actually, if one insists on having near-neighbor connections, constraint 2 yields the constraints R, L 1 , a2 2 1 , and a3 L 0. This is true because if P and K are chosen as [ l , - 1 , O l and Z (the identity matrix), respectively, SD = SI = [I, - 1 , O l = PK = [ l , -1,OlZ. In fact, these constraints are subsumed by constraint 1. For an integer linear programming problem with convex solution set, if all its extreme points are integral, one of the extreme points is the optimal solution of that problem (Schrijver, 1986, p. 2321. The solution set of the integer programming problem in (4.3) is not convex because of constraint 3, although all the extreme points are integral. One way of solving this problem is to partition the solution set into two disjoint convex subsets and find all the local optimal solutions for all the disjoint solution subsets. If the local optimal solution with the smallest value of the objective function is satisfactory, it is the optimal solution of the integer programming problem in (4.3). w The integer piecewise linear programming problem in (4.3) can be decomposed into two integer linear programming subproblems as follows:

( I ) min f = N(nl

+ n2 + a3)

(4.4a)

((1) a j i 1 , j = 1,2,3

subject to

(ZZ) min f

(2) a3 1 N (3) a1 + 712 IN ((4) n E ZIX3

= N(n,

+ n2 + a3)

(1) a j 2 l , j = 1 , 2 , 3 (2) a, + a2 1 N (3) n E ZIX3

(4.4b)


21 5

Each of these problems is an integer linear, programming problem with convex solution set. We can check that every extreme point of these convex sets is integral. Each extreme point is the solution of three of the following five equations: 7r1 = 1 , 7c2 = 1 , 7r3 = 1 , n3 = N , and 7r1 + 7r2 = N: There are five such solutions from these five equations that satisfy ID > 0 as follows: II, = [ l , 1,N], 112 = [1,N - 1, 11, 113 = [1,N - 1,N], 114 = [N - 1 , 1 , 11, and II, = [ N - 1 , 1 , N]. The extreme points with the shortest execution time are 112 and n4.The conflict vectors for 112 and 114 are, according to (3.3), [l, 1 , -NIT, which is feasible because the absolute value of the third entry of the conflict vector is greater than the corresponding size N - 1. So both II, and 114 are feasible and optimal because their conflict vectors are feasible, and they have the shortest execution time. If we choose II, , the total execution time is t = ( N - 1)(1 + N) + 1 = N 2 according to (2.4), and N - 2 buffers are needed between the two PEs on since the link of data A induced by the dependency

z2,

+

3

II2d2- x k j , = N - l - l = N - 2 . j =I

Figure 2 shows the block diagram of the linear array for multiplying two 4 x 4 matrices ( N = 4). Figure 3 shows the execution of the matrix-

multiplication algorithm for the corresponding mapping matrix

-

The computation cil,iz= c~,,,~ + 2il,i3 bi3,i2 indexed by I = [il,i2, i31Tis executed at processor [l, - 1 , O ] I and at time [ I , 3, l]?. By inspecting Fig. 2, we can confirm that there are no computational conflicts. Two buffers are needed between the two PEs on the link for data A , or for dependency vector The total execution time is 16, and the total number of PEs is 7. As shown in Fig. 2, two data links are used, one for data A traveling from left to right and one for data B traveling from right to left. Data C are stationary and PE,, -3 Ii I3, computes c~,,,~ such that i, - i, = i. (For example, PE, computes cl,, , c ~ , q~ 3 , ,and c4,4.) 4

z2.

...

-

PE C

4

B

.

...

PE C

FIG. 2. Block diagram of the linear array for matrix multiplication.

*

21 6


PE-3

PE-2

PE-1

5 6

7 8

9

10 11 12 13

la11 14 4b14 1c14 1 a12 15 4 b24 2c14 la13 16 4b34 3c14 1 a14 17 4b44 4c14 18 19

Time

20

la11 3h13 1 c13 la12 3b23 2c13 1 n13 3h33 3c13 1 i114 3b43 4c13 2;121 4b14 1 c24 2a22 4b24 2c24 2L!3 4b34 3c24 2Z124 4b44 4c24

1all 2h12 1c12 1 a12 2b22 2c12 1 :113 2b32 3c12 la14 2b42 4c12 21121 3b13 1 c23 2a22 3b23 2c23 2a23 3h33 3c23 2a24 3 b43 4c23 3a31 4b14 1 c34 3 i132 4b24 2c34 3 a33 4 b34 3 c34 3 iI34 4b44 4 c34

PEO 1a l l 1b l l 1 Cll 1 a12 lh21 2cll 1 a13 lb31 3cll la14 lb41 4cll 2a21 2b12 1 c22 2iI22 2h22 2c22 2a23 2b32 3c22 2a24 2b42 4c22 3n31 3b13 1 c33 3a32 3h23 2c33 3a33 3 b33 3c33 3a34 3b43 4c33 4 2141 4b14 1 c44 4 iI42 4h24 2c44 4a43 4h34 3c44 4 a44 4 b44 4 c44

PEl

PE2

2a21 lbll 1c21 2a22 3a31 lb21 l b l l 2c21 l c 3 1 2a23 3a32 1b31 lb21 3c21 2c31 2a24 3a33 1b41 1b31 4c21 3c31 3 iI31 3a34 2b12 1 b41 1 c32 4c31 3 ~ 1 3 2 4a41 2b22 2h12 2c32 l c 4 2 3a33 4a42 2b32 2h22 3 c32 2c42 3a34 4a43 2b42 2b32 4c32 3c42 4a41 4a44 3b13 2b42 1c43 4c42 4 a42 3 h23 243 41143 3b33 3c43 4 iI44 3b43 4c43

PE3

4a41 Ibll 141 4a42 lb21 2c41 4 a43 1 b31 3c41 4a44 1 b41 4c41

FIG. 3. Execution of multiplication of two 4 x 4 matrices C = A x B . The small block with leftmost column [i,, i z , i31Tcorresponds to the computation cil,iz= c ~ , +, u~ ~ ~. bi,,iz, ~ , which is executed at PE i, - iz and at time i , + 3i2 + i,.

~

~


21 7

The method discussed here does not guarantee absence of conflicts in data communication over the same link at the same time. We assume that there is enough bandwidth (through hardware links or virtual channels) between the communicating processors to support all the necessary data transfers. Alternatively, if data conflicts must be avoided, one must check the resulting designs for their occurrence. The designs obtained above have no data collisions if data can start to flow at any processor (or data do not have to enter the array solely from the leftmost or the rightmost processor), and data stop flowing as soon as they are no longer needed. This is true because in every column and every row of the matrix K there is only one nonzero entry kj, = 1, j = 1, ..., 3 . This means that when data pass from the source to the destination, they use the data link just once (one hop between source and destination). Data-link collisions may occur if the data use links more than once when passing from the source to the destination. For example, if the space allocation matrix S' = [ 1, 1, N] and P' = [ 1, 1, 11, to satisfy the condition SD = PK, one possible set of values for K is k , , , = k2,,= 1, k3,3= N, and ki,j = 0, i # j . Thus, the distance between the source and destination for data C is N PEs and data C will take N hops over the third link in the processor array, or the link for C to reach the destination. Suppose PEj, j = 1, .. .,N, are sending data xi,j (corresponding to ci,j of matrix C) to PEj+N at time ti, i = 1, ...,N. Then at time t l , xl, is on the link between PE, and PE,. At time t,, two pieces of data x , , and x2,2are on the link between PE, and PE,, and so on. At time f N - 1, N - 1 pieces of data xl, , x2,,, . . ., x N - , ,N - are on the link between PEN- and PEN. So link collisions exist after time t , . This is caused by k3,3= N. As shown in Fig. 3, there is no link collision for the particular case N = 4 illustrated above.

,

,

,

5.

Parameter-Based Methods

In the previous section, we described a dependency-based approach (DM) for mapping algorithms to processor arrays. The approach is general and can synthesize processor arrays for algorithms with uniform as well as nonuniform recurrences. In this approach, a desired mapping can be found by determining the elements of a transformation matrix T. Since these elements have to be integers, finding an optimal design requires, in the general case, solving at least an integer linear programming problem. To reduce the complexity, the allocation matrix S can first be chosen heuristically, after which an optimal schedule vector FI is found. For instance, an allocation matrix that uses a small number of processing

21 8

JOSE A. B. FORTES et a/.

elements can be used, and a design that minimizes the completion time can then be obtained on the basis of the matrix. A more efficient design can be found if the designs are restricted to the case of recurrences with uniform indexing functions. In the next two sections, we present a parameter-based approach for mapping such recurrences. The thinking behind this method is as follows. It is known that the semantics of systolic arrays can be formally described by uniform recurrence equations, i.e., systolic arrays are isomorphic to uniform recurrences. This implies that as long as the computations defined by the uniform recurrences are well-formed, there is a direct mapping from the recurrence to the systolic array. In fact, this mapping is equivalent to a linear transformation of the index set. Hence, for a linear mapping, the time (respectiv_ely, the distance) is constant between execution of _any two points I, and I, in the index set separated by a dependen5 vector d, where = + 2. Thi5constant is equal to lid' (respectively, S d ) independent of the index points I, and & . For recurrences with uniform indexing functions (i.e., uniform recurrences and uniformized linear recurrences), the dependences are constant vectors and homogeneous (i.e., the set of dependency vectors at any one point in the index set is the same as at any other point in the index set). Thus, the computation of the recurrence on the processor array is periodic in time and space along the dependency directions in the index space. This periodicity is succinctly captured and exploited in the parameter-based approach that we shall discuss in the balance of this paper. In other words, parameter-based methods employ a different representation that captures the above periodicity, making it possible to find the optimal target array in an efficient manner. Work on parameter-based methods was first done by Li and Wah (1985) for a restricted set of uniform recurrences. They considered, in particular, three- and two-dimensional recurrences and mapped them to two- and onedimensional arrays, respectively. The structure of the recurrence was such that the dependency vectors were unit vectors and the dependency matrix an identity matrix. This was an important initial step in obtaining optimal processor arrays efficiently. This array-synthesis technique using parameters was considerably extended and generalized subsequently into a general parameter method (GPM) (Ganapathy and Wah, 1992a,b). Here the recurrence model was a general n-dimensional recurrence instead of a specific three-dimensional recurrence. The target arrays are also permitted t o be of any lower dimension m (where rn < n). It is assumed that the processing elements are equally spaced in tn dimensions with unit distance between directly connected processing elements; buffers between directly connected processing elements, if any, are assumed to be equally spaced along the link.

17

K


5.1.

21 9

Parameters

In GPM, the characterization of the behavior, correctness, and performance of a systolic array is defined in terms of a set of scalar and vector parameters. The crux of GPM is the characterization of the behavior, correctness, and performance of a systolic array by a set of vector and scalar parameters. When a uniform recurrence is executed on a systolic array, the computations are periodic and equally spaced in the systolic array. GPM captures this periodicity by a minimal set of parameters, which is defined as follows. Parameter 1: Periods. The periods capture the time between execution of the source and sink index points of a dependency vector. Suppose that the time at which an index point I' (defined for+the uniform recurrence equation) is executed is given by a function rc(Z), and let the period of computation tj along the dependency direction ijbe defined as follows:

+ d j ) - rc(Z),

-

tj = r,(Z

+

-

i

4

j = 1,2,

..., r.

(5.1)

The number of periods defined is equal to r, the number of dependencies in the algorithm. In terms of DM, period tj satisfies the following equation: -+

tj

= ndj,

(5.2)

where l7 is the schedule vector in DM. Parameter 2: Velocity. The velocity of a datum is defined- as the directional distance traversed in a single clock cycle; it is denoted 5. Since each PE is at unit distance from each neighbor, and buffers (if present) must be equally spaced between pairs of PEs, the magnitude of the velocity vector must be a rational number of the form i / j where i, j are integers and i Ij (to prevent br~adcasting).~ This implies that in j clock cycles, x propagates through i PEs a n d j - i buffers. All tokens of the same variable have the same velocity (both speed and direction), which is constant during execution in the systolic array. The total number of velocity parameters is r (one for each dependency vector) and each velocity is an m-element vecJor, where rn is the dimension of the processor array. Hence, the velocity 5 is given by d

(5.3) where is the (vector) distance between the execution_ locations of the source and sink index points of the dependency vector d j . In the notation ' A vector is characterized by its magnitude and a unit directional vector.

220

JOSE A. B. FORTES et a/.

of DM, S, the allocation matrix, is related to 4

5 and ijas follows:

+

4.. = Sdj. Parameter 3: Spacing or data distribution. Consider a variatle $Ii pipelined along the depend_ence+vectordi, 1 Ii Ir. The token ni(Z- di) is used at the index points Z + tdi , t =..., -2, - 1 ,0,1 ,2, ..., in computing the recurrence. In other words, the token through processors that use the variable Cli at the index points (?+ tdi). Consider another token a,(?- dj)of the same variable sZi used at index points (i-dj + t$i), i # i. The directional distance in the processor space from token ni(Z - d j ) to token Q(Z - di) is defined as a spacing parameter4 $ i , j . Since there are r dependency vectors d i , 1 Ii Ir, there are r - 1 nontrivial +spacing + parameters for each variable and a single trivial spacing parameter SA = 0. These denote the r distances for variable i: Q(iQ i ( Z - &), i , j = 1, 2, ...,r. Each spacing parameter Si, is an m-dimensio_nal vector, where m is the dimension of the processor array. The notation S i , j denotes that it is the j t h spacing parameter of the ith variable. A total of r(r - 1) nontrivial spacing paraTeters are defined. To compute &, , con_sidef the movement of token Qj(Z of variable nj from index point ( I - d j ) to index point ? with velocity 5. In the notation of DM (based on (5.3) and (5.4) and Theorem 5.1),

mazes

.-I

4)

+

3)

The total number of parameters defined is r x (r + 2), of which r are periods (scalars); the remaining rz + r parameters are m-dimensional vectors, of which r are velocities and r2 are spacings (and r of these spacings are trivially zero).

Example 5.1. Consider a three-dimensional recurrence with n = 3,

r

=

5,

Z ( k , i, j) = X ( k , i)Y(j, k) + Z(k - 1, i

+ 1, j + 1)

+ Z ( k - 1, i + 1, j ) + Z ( k - 1, i, j + 1).

(5.6)

After pipelining, (5.6) becomes Z(k, i, j ) = X ( k , i, j - l)?j(k,i - 1, j) + Z(k - 1, i

+ 1 , j + 1)

+ Z(k - 1, i + 1, j) + Z(k - 1, i, j + 1).

(5.7)

Spacing parameters in GPM are denoted by S , whereas the processor-allocation matrix in DM is denoted by S.

22 1


Let +

I

(i,j, k)',

=

= ( O , O , l)T, +

(7,

(0, 1.

=

d3 = (1, -1, -l)T,

O)T,

+

+

d, = (l,O, -l)T.

(1, -1, O)T,

d4 =

Rewriting the recurrence in the functionally equivalent form, Z(r'> = X ( i - (7,) x

Y(f- (7,) + Z(f- 23), a4cT- i4), a, 0. 2. Computational conflicts. No two index points may be executed at the same processor at the same time. In DM, n(f,)= n(&)implies that 1.

S(6) #

S(&).

3. Data-link conflicts. No two data tokens may contend for a given link at the same time. Having established the parameters and the two basic relationships among them, we show how the fundamental conditions for validity are satisfied in GPM. By definition, periods denote the time difference between the source and sink of the dependencies. Hence, the precedence constraints are satisfied by simply enforcing ti 2 1, i = 1, ..., r. In the array model, all tokens of the same variable move with the same velocity. Hence, data-link conflicts can exist if and only if two tokens of a variable are input at the same time into the same processor and travel together contending for links. This condition is called a data-input conflict in GPM, as two data tokens may be in the same physical location and may conflict with each other as they move through the processors together. It is important to note that in GPM, computational conflicts can exist if and only if data-input conflicts occur. This can be seen by the following simple argument. If two index points are evaluated in the same processor at the same time, then, for each variable, at least two distinct tokens exist together in the same processor. Hence, if there is at least one nonstationary variable, there will be data-input conflict for the tokens of that variable. Otherwise, all the variables are stationary and the entire computation is executed on one processor, i.e., there is no systolic array. Hence, by enforcing a rule that no data-input conflicts exist, both computational and data-link conflicts are avoided. Theorem 5.3 below presents conditions under which data-input conflicts can be eliminated. Consider the spacings of variable i. Let S j be an m x (g - 1) matrix: +

-

+

+

-t

+

+

Si = [ S i , l s Si.2,

*..,

(5.19)

Si,g-ll,

where S j , ] , S j , 2 , ..., S j , g - , are g - 1 consistent spacings. Let G!,

+

8, and y’

226


be vectors with g - 1 integral elements. Let L k , u k , k = I , 2, ...,g - 1, be defined such that the position of all the tokens of the input matrix can be represented by ~ g k : Si, k p k , where L k I& Iu k . L k and u k are functions of the size of the input matrix.

’,

Theorem 5 . 3 . Data-input conflicts occur +in the inpui matrix of a nonstationary input i i f and only i f Sfcu‘ = 0 and cu‘ # 0 , where 2 = [a1, a 2 ,..., a g - J Tand aiE [(Li - Ui), ..., (Li + Ui)], for all i such that lsisg-1.

-

Proof. The position of any element of input i can be described as SiS, Therefore, and Li Ipi IUi. where /I= [PI,...,

-

Data-input conflicts

-

c)

S i p = S;y’,$

#

S ; ( j - y’) =

6

y’ and Li I6 , pi 5 Ui

qcu‘= 6, cu‘ = 3 - y’, ai E [ ( t i - Ui),..., (Li + Ui)], cu‘ # 6 w

Note that in Theorem 5.3, we have defined conservative bounds on ai. Better estimates can be obtained (Xue, 1993) and will result in less overhead when the conditions in Theorem 5.3 are checked in the design process.

Example 5.3. For the recurrence in (5.6), if the array sought is oned_imensio_nal,the spacing parameters are all one-dimensional scalars. Let S ,, and S be the two independent spacings for input X. We set the values of L 1 and L, to be 1, and the values of UI and U2 to be N. Therefore, according to Theorem 5.3, data-input conflicts occur in input X if and only if (5.20)

where -(N+- 1) s a l ,,a2 I(N - I ) and a I ,a, # 0. For instance, if N = 5 and S l , 2 = 6 and S I , 5= 4, we find that a I= 2 and a2 = -3 satisfies (5.20). (In one dimension, the vector spacings are positive or negative numbers.) Hence, there are data-input conflicts in input X.

5.3. Design Method The design of a feasible processor array is equivalent to choosing an appropriate set of parameters that satisfy the constraints imposed by the dependency and application requirements. The search for the “best” design can be represented by the following optimization problem:

ALGORITHM-SPECIFIC PARALLEL PROCESSING -+

227

-+

Minimize b(N, t l , ..., t,, R,, ..., R,)

(5.21)

( 1 s t j , i = 1 ,..., r,

I

-+

0 I(Rj( It i , i = 1, ..., r , Subject to: constraints defined in Theorems 5.1, 5.2, and 5.3, ( #PE 5 #PEuB and T, 5 T,"". The objective function b defined in (5.21) is expressed in terms of attributes such as the computation time of the algorithm; T o a d , the load time for the initial inputs; Grain, the drain time for the final results; and #PE, the number of processing elements in the design. Note that the completion time for evaluating the recurrence is

T, =

Tomp

+

Toad

+

Tdrain.

(5.22)

All the attributes are then expressed in terms of parameters defined in GPM. The first two constraints in (5.21) follow directly from the definition of the parameters in GPM. Since the target array is systolic, the displacements should not exceed the periods ti in order to prevent data broadcasting (velocities should not exceed one). In addition, the constraints ti 1 1, i = 1,2, ..., r, ensure that the precedence constraints are satisfied. The third constraint indicates that the recurrence is evaluated correctly by the processor array satisfying the dependency requirements (Theorems 5.1 and 5.2), and is free of data-link and computational conflicts (Theorem 5.3). The fourth constraint indicates what bounds on T, and #PE that are imposed on the design are to be obtained. For instance, the following are two possible formulations of the optimization problem: (a) Minimize T, for a design with a maximum bound on #PE and PEuB; (b) Minimize #PE for a design with a maximum bound on T, and T,"". Both of these formulations represent trade-offs between T and #PE. This is a unique advantage to using GPM as a way of synthesizing systolic arrays. Both optimization problems and trade-offs are illustrated in detail in Section 6. Another unique feature of GPM is that the formulation in (5.21) is defined with respect to a specific recurrence and a specific problem size N. This allows a truly application-specific and problem-size-specific systolic array to be designed to suit specific application requirements. In addition to the constraints we have discussed, there are other constraints that may be defined in the search process. Since, in general, the objective function is nonlinear, involving functions such as ceiling, floor, and the maximum/minimum of a set of terms, it is difficult to describe a

228


comprehensive algorithm that covers all possible cases. In the following, we first describe our general search strategy, after which we discuss searches with objectives that are functions of T,, camp, Grain, and #PE. We then present the search algorithm and show its application to special cases of optimizing T, and #PE. Our general search strategy takes the objective function b (assumed to be minimized) and decomposes it into two functions bl and b2 related by f as follows: +

-+

b ( N , f l ,. - - , f r , R 1 , - * * , & ) -t

= f ( b , ( t l ,* * * s f r , R I , **-,&),

--.

-.

bz(t1, * * . , f r , R I ,

-. *-*sgr)),

(5.23)

where N is not represented explicitly since it is a constant in the optimization. The decomposition is done in such a way that bl is a monotonic function of its variables (which are enumerated), and b2 is a function in which a lower-bound estimate on its value can be obtained easily. In addition, f is assumed to be a monotonically increasing function with increasing values of b2 so that a lower-bound estimate on b2 can be used to get an upper bound on b l . The search proceeds by systematically enumerating all combinations of a selected set of parameters defined in b, , and solving for the rest of the parameters by the constraints defined in (5.21) or by computing their values when the lower bound of b2 is evaluated. Every time a combination of parameters in b1 is searched, a lower-bound estimate on b2 is computed. This lower-bound estimate, together with Bincumbent , the objective value of the current incumbent design, defines an upper bound on the value of bl to be enumerated further in the search process. That is, (5.24)

Note that this equation only defines an upper bound on the value of bl to be enumerated; it does not define the combinations of parameter values of bl that can be pruned. Pruning of combinations of parameter values of bl is possible only if bl is monotonic with respect to the combination of parameter values chosen in the enumeration process. To illustrate our search strategy, consider an objective that is a function of Tamp, T&,d, Grain, and #PE as follows: = b l ( T , o m p , T o a d , Tdroin, #pE)

b 2 ( c o m p , T o a d , Tdrain,

#pE)* (5.25)

Assume that a lower-bound estimate of b2 can be obtained by setting Toad = Grain = 0, Tamp = TZkp, and #PE = #PEmi".Consider a case in which #PE is expressed as a function of IllI, ..., 151.#PE is minimal when exactly one 161is 1, and the rest of them @I,/ # i, are 0. Similarly a crude

229


TZEp can be obtained by letting all ti = 1. Hence, given Bincumbent, we have

b incumbent - byB(T,omp q m d @(romp

9

r[;md

Groin

#PE I T o a d =

qood > G r o i n

9

Groin

= O,

#pE I r o m p = c:Ep

= G r a i n = O , #PE =

#PE = #PEmin)

9

#PEmin),

(5.26)

or, equivalently, UB

Tcomp

B incumbent =

b;'

(

eB(T, Groin 9

romp 9 T m d

qmd

#pE

I romp = Komp

= G r o i n = O,

1,

#PE =m'n #PEmin)

(5.27)

where b;' is the inverse function of bl , and camp is the dummy parameter camp used in 6 , . For example, let the objective function be B = (Teomp -I-

qood

-I- G r a i n 1 2 X

#PE = b,(Teomp -I-

qood

-I-G r o i n ) X

&(#PE). (5.28)

According to (5.27), we have UB Tcomp

=

b incumbent/#PE m'n.

J

(5.29)

T Z i p is refined continuously as new incumbent designs are found in the search, and the search stops when there is no combination of t i , UB i = 1, ..., r, that satisfies KOmp ITcomp. In the following, we describe the search procedure for an objective function of the form in (5.25). Search procedure for minimizing b(#PE, T) = b(T,,,,

, T o a d , Tdroin, #PE), where camp_ is a function of t l , . . . , t,, &old and Groin are functions of + and #PE is a function of Ill[, ..., IlrI. t l , ..., t,, lRII, ..., 1. Choose g periods and g displacements to be unconstrained parameters. Without loss+of generality, we may let these periods and displacements be ti and R i , 1 Ii s g, respectively. 2. Initialize TZEp to be the computation time required to evaluate the recurrence sequentially. 3. Set the values of all the g unconstrained periods t i , i = 1, .. ,g, to be unity. 4. Choose the magnitude of g unconstrained displacements IGI, i = 1, ..., g, to be zero. 5 . Compute the values of the other dependent r - g periods and displacements using the conditions of Theorem 5.2.

.

230

JOSE A. 6.FORTES et a/.

6. Compute T::;,, using the periods and displacements found, where T::;,, is the computation time (without load and drain times) required for processing the recurrence by substituting the current values of ti, i = 1, . ,r. (Note that the design may not be feasible at exit with the incumbent design. this time.) If TZ;,, > 7. Solve for the spacing parameters from (5.11) defined in Theorem 5.1. 8. Check for data-input conflicts using Theorem 5.3 on the spacing parameters; also, check whether the constraints on T, and #PE are violated (constraint 4 in (5.21)). and repeat Steps 5, 9. If the solution is 3ot feasible, increment one 6,7, and 8 until (Rilare all equal to t i , i = 1, . ,r. If all the (Ril equal ti and no feasible design is found, go to Step 10. If a feasible design is found, go to Step 11. 10. Increment one of the periods such that T,';,, increases by the lowest possible value. Go to Step 4. 11. Compute Bcur,the objective value achieved by the current design set Bincumbent = BC"' a,"d compute TL:,, found. If Bcurc Bincumben', for the current design using (5.27). Increment one ]Ail and go to Step 5.

..

c::,,,

151

..

The worst-case complexity of the search procedure above is (T:t&,)2g, where T:t& is the time needed to process the recurrence sequentially. This bound_is true because we iterate in the worst case all combinations of ti and (Ri(Iti, i = 1, ..., r. A special case of the optimization is to find a design with minimum computation time (not including load and drain times). This is discussed in Section 4 of this paper as well as in our earlier work (Ganapathy and Wah, 1992a,b). In this case, b2 is a constant function, and bl a linear function of t , , ..., t,. Hence, the first feasible design found sets TL&, equal to T::;,, of the feasible design obtained, and the first feasible design becomes the optimal design that minimizes TCOmp. For a design that minimizes #PE, the search procedure described above needs to t e changed. In this case, b, should be defined as a function of IllI, ..., I&,\. The search should start iterating with the smallest combinations of these variables.

6. Applications of the General Parameter Method Path-finding problems belong to an important class of optimization problems. Typical examples include computing the transitive closure and the shortest paths of a graph. Two-dimensional systolic arrays for finding transitive closures have been studied extensivelyin the literature (Kung et al.,


23 1

1987; Guibas e t a / . , 1979; Rote, 1985). In this section we synthesize a onepass linear systolic array for the Warshall-Floyd path-finding algorithm. The discussion below is with respect to the transitive closure problem. The transitive closure problem is defined as follows. Compute the transitive closure C'[i,j] of an n-node directed graph with an n x n Boolean adjacency matrix C [ i , j ] ,where C [ i , j ]= 1 if there is an edge from vertex i to vertexj or i = j , and C [ i , j ]= 0 otherwise. Since the dependency structure is irregular and difficult to map, S . Y. Kung et al. (1987) converted the transitive closure algorithm into a reindexed form and mapped it to 2-D spiral and orthogonal arrays. Based on their algorithm we obtain the following five dependency vectors after pipelining the variables: i , = ( O , O , l ) T f o r ( k , i , j ) T + ( k , i , j - 1)T, 2 1 j s N ,

2, = (0, 1,O)'for (k, i , j ) T (k,i - l,j)', 2 I i IN, d3 = (1, - 1 , -1)=for (k,i,j)'+ (k - 1 , i + 1,j + l)T, +

~ I ~ I 1Ns ,i , j ~ N -1,

i4= (1, -l,O)* t&

=

8

(6.1)

for (k,i, N ) T (k - 1, i + I),N)', 2 Ik IN, 1 1 i s N - 1 , +

(l,O, -l)T for (k, N , j ) T 25k

+

(k - l , N , j + I)=,

IN,

1 IJ

I N - 1,

where r', + means that the data at point is used at point r', . For nodes on the boundary of dependenc! graph G where i = N (respectively, j,= N ) , dependency d4 (respectively, d5) is present instead-of d_ependen_cyd 3 . For other interior points, only the three dependencies d, , d,, and d3 exist. The running example discussed in Section 5 is a recurrence with the five dependencies listed above. The dependency graph of the recurrence used in example [(5.6)] is regular and homogeneous with five dependencies at each point. However, for transitive closure the dependency graph is not completely regular. Hence, control bits are used to modify the flow (or velocity) of the tokens in order to execute the dependency graph on the processor array correctly. The key observation is as follows. Matrix C (whqse transitive closure is to be found) is input aiong dep_end_encydirection d 3 . Inputs along other dependency directions d , , &, d4, d5 are nonexistent, i.e., they are never sent into the array from the external host. Hence, there are no data-input conflicts along these dependency directions as the generated outputs are sent at most once on each link in every cycle of the array. As a Lesult, we need to consider- only d$ta-input conflicts along direction d3. Since dependencies d 3 , d4,_and d5 never-coexist,

Advances in Computers, Volume 38

Advances in Agronomy, Volume 38

Advances in Catalysis, Volume 38

Advances in Genetics Volume 38

Advances in Computers, Volume 49

Advances in Computers, Volume 55

Advances in Computers, Volume 56

Advances in Computers, Volume 19

Advances in Computers, Volume 12

Advances in Computers, Volume 43

Advances in Computers, Volume 28

Advances in Computers, Volume 31

Advances in Computers, Volume 9

Advances in Computers, Volume 11

Advances in Computers, Volume 7