Advances
in COMPUTERS VOLUME 38
Advances
in COMPUTERS VOLUME 38
Contributors to This Volume
B . CHANDRASEKARAN JOSE A. B. FORTES KUMARN. GANAPATHY JOHN M. LONG ABBEMOWSHOWITZ GUNTHERPERNUL WEIM SHANG W. WAH BENJAMIN
Advances in
COMPUTERS EDITED BY
MARSHALL C . YOVITS Purdue School of Science Indiana University-Purdue University at Indianapolis Indianapolis, Indiana
VOLUME 38
ACADEMIC PRESS Boston San Diego New York London Sydney Tokyo Toronto
This book is printed on acid-free paper.
@
Copyright 0 1994 by Academic Press, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission in writing from the publisher.
ACADEMIC PRESS, INC. A Division of Harcourt Brace & Company 525 B Street, Suite 1900, San Diego, CA 92101-4495
United Kingdom Edition published by ACADEMIC PRESS LIMITED 24-28 Oval Road. London NWl 7DX
Library of Congress Catalog Card Number: 59-15761 International Standard Serial Number: 0065-2458 International Standard Book Number: 0-12-012138-7 Printed in the United States of America 94959691
BC
9 8 7 6 5 4 3 2 1
Contents CONTRIBUTORS . . PREFACE. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . . . . . . . . . . . . .
vii ix
Database Security Gunther Pernul
1. 2. 3. 4. 5. 6. 7.
Introduction . . . . . . . . . . . Database Security Models . . . . . . . Multilevel Secure Prototypes and Systems . . Conceptual Data Model for Multilevel Security . Standardization and Evaluation Efforts . . . Future Directions in Database Security Research Conclusions . . . . . . . . . . . References . . . . . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
1 8 38 45 62 65 68 69
. . . . . . . .
. . . . . . . .
73 76 80 84 131 133 138 138
. . . . World of
.
145
Functional Representation and Causal Processes B. Chandrasekaran
1 . Introduction . . . . . 2 . Human Reasoning about the 3. Historical Background . . 4 . Functional Representation . 5 . Related Work . . . . 6 . Concluding Remarks . . Acknowledgments . . . References . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
Physical World
. . . . . . . .
. . . . . . . .
. . . . . . . .
Computer-Based Medical Systems John M. Long
1. Overview . . . . . . . . . . . . 2 . Automation and the Healing Arts: The Changing Medicine in the Information Age . . . . . 3. Special Issues in Medical Computing . . . . 4 . A Review of Computer-Based Medical Systems . 5 . Artificial Intelligence in Medicine . . . . . 6 . Concluding Remarks . . . . . . . . References . . . . . . . . . . .
v
. . . . . 147 .
.
.
.
.
158
. . . . . 161 . . . . . 165 . . . . . 177 . . . . . 180
vi
CONTENTS
Algorithm-Specific Parallel Processing with Linear Processing Arrays
. .
.
Jose A B Fortes. Benjamin W Wah. Weijia Shang. and Kumar N. Ganapathy
1 . Introduction . . . . . . . . . . . . . . 2 . The Mapping Problem . . . . . . . . . . . 3 . Computation-Conflict-Free Mappings . . . . . . 4 . Time-Optimal Mappings without Computational Conflicts 5 . Parameter-Based Methods . . . . . . . . . . 6. Applications of the General Parameter Method . . . . 7 . Conclusions . . . . . . . . . . . . . . References . . . . . . . . . . . . . .
. . 198 . . 204 . . 207 . . 211 . . 217 . . 230 . . 241 . . 243
Information as a Commodity: Assessment of Market Value Abbe Mowshowitz
1. Introduction . . . . . . . 2. The Information Marketplace . . 3 . What Is Information? . . . . 4. Information Commodities . . . 5 . Making Information Commodities 6. Toward an Inventory of Information 7 . Using Information Commodities . 8. Competition and Regulation . . 9 . Conclusion . . . . . . . Acknowledgments . . . . . Endnotes . . . . . . . . References . . . . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . . Commodities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
248 249 252 261 267 286 291 301 310 310 310 312
AUTHORINDEX .
. . . . . . . . . . . . . . . 317
SUBJECT INDEX .
. . . . . . . . . . . . . . . 329
CONTENTS OF VOLUMESIN THISSERIES .
. . . . . . . . 335
Contributors Numbers in parentheses refer to the pages on which the authors’ contributions begin.
B. Chandrasekaran (73) Laboratory for AI Research, The Ohio State University, Columbus, Ohio 43210 Jose A. B. Fortes (1 98) School of Electrical Engineering, Purdue University, West Lafayette, Indiana 47907 Kumar N . Ganapathy (1 98) Coordinated Science Laboratory, University of Illinois, Urbana, Illinois 61801 John M. Long (146) 2676 Manson Pike, Murfreesboro, Tennessee 37129 Abbe Mowshowitz (248) Department of Computer Science, The City College (CUNY), New York, New York 10031 Giinther Pernul(1) Institute of Applied Computer Science, Department of Information Engineering, University of Vienna, A-1010 Vienna, Austria Weijia Shang (198) Department of Computer Engineering, Santa Clara University, Santa Clara, California 95053 Benjamin W. Wah (198) Coordinated Science Laboratory, University of Illinois, Urbana, Illinois 61801
vii
This Page Intentionally Left Blank
Preface The publication of Volume 38 of Advances in Computers continues the in-depth presentation of subjects of both current and continuing interest in computer and information science. Contributions have been solicited from highly respected experts in their fields who recognize the importance of writing substantial review and tutorial articles in their areas of expertise. Advances in Computers permits the publication of survey-type articles written from a relatively leisurely perspective. By virtue of the length of the chapters included, authors are able to treat their subjects both in depth and in breadth. The Advances in Computers series began in 1960 and now continues in its 35th year with this volume. During this period, in which we have witnessed great expansion and dynamic change in the computer and information fields, the series has played an important role in the development of computers and their applications. The continuation of the series over this lengthy period is a tribute to the reputations and capabilities of the authors who have contributed to it. Included in Volume 38 are chapters on database security, caufial processes, computer-based medical systems, parallel processing with linear arrays, and information treated as a commodity. In the first chapter, Giinther Pernul points out that the general concept of database security is very broad and embraces such areas as the moral and ethical issues imposed by public and society, legal issues in which laws are passed regulating the collection and disclosure of stored information, and more technical issues such as ways of protecting stored information from loss or unauthorized access, destruction, use, modification, or disclosure. He proposes models and techniques that provide a conceptual framework in the effort to counter the possible threats to database security. Emphasis is given to techniques primarily intended to assure a certain degree of confidentiality, integrity, and availability of the data. Privacy and related legal issues of database security are also discussed. In the second chapter, B. Chandrasekaran states that cognitive agents that are organized to achieve goals in the world have three fundamental activities to perform, namely, making sense of the world, planning actions to achieve goals, and predicting consequences. He reviews over a decade of work on device understanding from a functional perspective. He believes that research on causal and functional representations is just beginning. In his chapter he describes a research agenda for the immediate future, discusses the logic of “understanding,” and also discusses the phenomena of “reasoning.”
ix
X
PREFACE
In Chapter 3, John Long indicates that the notion of computer-based medical systems embraces the full range of computer systems-both hardware and software-that are designed and built for use in a medical environment. These include embedded computers (hardware and software) found in medical devices. He shows that many of the areas of medicine are changing due to the impact of computers. Computer-based medical systems are revolutionizing medicine and moving it into the information age. The pace is deliberate as is appropriate for an area that deals with human health. The potential for great benefits exists and many have already been accomplished. By the same token, the changes being brought about because of computers create new problems and exacerbate existing ones. In the next chapter Fortes, Wah, Shang, and Ganapathy point out that applications of digital signal processing, scientific computing, digital communications, and control are characterized by repeated execution of a small number of computationally intensive operations. In order to meet performance requirements it is often necessary to dedicate hardware with parallel processing capabilities to these specialized operations. Processor arrays, due to their structural regularity and consequent suitability for VLSI implementation, are frequently used for this purpose. They then show that algorithm-specific parallel processing with linear processor arrays can be systematically achieved with the help of the techniques discussed. In particular, they are ideally suited to the algorithms described as affine recurrences or loop nests. Abbe Mowshowitz in the final chapter considers that the evolution of the marketplace for information appears to be governed by impulses stemming from the displacement of information, knowledge, or skill from persons to artifacts. This process of displacement is an extension of the commoditization of labor, a process that began in earnest with the industrial revolution. The information commodity is to contemporary organizations what the labor commodity was to the pre-industrial workshop-a vehicle for the radical reorganization of production. Triggered by advances in computers and telecommunications, he believes that this displacement process is gaining momentum with the integration of these technologies. Computerbased communications networks will soon reach virtually every organization and person in the industrialized world. Such networks will stimulate an explosive growth in the production and use of information commodities, and support a global marketplace of gigantic proportions. I am pleased to thank the contributors to this volume. They have given extensively to make this book an important and timely contribution to their profession. Despite the considerable time and effort required, they have recognized the importance of writing substantial review and tutorial contributions in their areas of expertise; their cooperation and assistance
PREFACE
xi
are greatly appreciated. Because of their efforts, this volume achieves a high level of excellence and should be of great value and substantial interest for many years to come. It has been a pleasant and rewarding experience for me to edit this volume and to work with the authors.
MARSHALL c. YOVITS
This Page Intentionally Left Blank
t GUNTHER PERNUL Institute of Applied Computer Science Department of Information Engineering University of Vienna
1. Introduction
2.
3.
4.
5. 6. 7.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
I .1 The Relational Data Model Revisited . . . . . . . . . . . . . . . . . 1.2 The Vocabulary of Security and Major Database Security Threats . . . . . Database Security Models . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Discretionary Security Models . . . . . . . . . . . . . . . . . . . . . 2.2 Mandatory Security Models . . . . . . . . . . . . . . . . . . . . . . 2.3 The Adapted Mandatory Access Control Model . . . . . . . . . . . . . 2.4 The Personal Knowledge Approach . . . . . . . . . . . . . . . . . . 2.5 The Clark and Wilson Model . . . . . . . . . . . . . . . . . . . . . 2.6 A Final Note on Database Security Models . . . . . . . . . . . . . . . Multilevel Secure Prototypes and Systems . . . . . . . . . . . . . . . . . . 3.1 SeaView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Lock Data Views . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 ASD-Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conceptual Data Model for Multilevel Security . . . . . . . . . . . . . . . 4.1 Concepts of Security Semantics . . . . . . . . . . . . . . . . . . . . 4.2 Classification Constraints . . . . . . . . . . . . . . . . . . . . . . . 4.3 Consistency and Conflict Management . . . . . . . . . . . . . . . . . 4.4 Modeling the Example Application . . . . . . . . . . . . . . . . . . Standardization and Evaluation Efforts . . . . . . . . . . . . . . . . . . . Future Directions in Database Security Research . . . . . . . . . . . . . . . Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 6 8 9 11 19 33 35 37 38 39 41 43 45 47 50 57 58 62 65 68 69
1 . Introduction Information stored in databases is often considered a valuable and important corporate resource . Many organizations have become so dependent on the proper functioning of their systems that a disruption of service or a leakage of stored information may cause outcomes ranging from inconvenience to catastrophe . Corporate data may relate to financial records; may be essential to the successful operation of an organization. may represent trade secrets. or may describe information about persons whose privacy must be protected . Thus. the general concept of database ADVANCES IN COMPUTERS. VOL . 38
1
.
Copyright 0 1994 by Academic Press Inc. All rights of reproduction in any farm reserved. ISBN 0-12-012138-7
2
GUNTHER PERNUL
security is very broad and embraces such areas as the moral and ethical issues imposed by public and society and legal issues in which laws are passed regulating the collection and disclosure of stored information, or more technical issues such as ways of protecting stored information from loss or unauthorized access, destruction, use, modification, or disclosure. More generally, database security is concerned with ensuring the secrecy, integrity, and availability of data stored in a database. To define our terms, secrecy denotes the protection of information from unauthorized disclosure either by direct retrieval or indirect logical inference. In addition, secrecy must deal with the possibility that information may also be disclosed by legitimate users acting as an “information channel” by passing secret information to unauthorized users. This may be done intentionally or without the knowledge of the authorized user. By integrity we understand the need to protect data from malicious or accidental modification, including insertion of false data, contamination of data, and destruction of data. Integrity constraints are rules that define the correct states of a database and thus can protect the correctness of the database during operation. By Availability we understand the characteristic according to which we may be certain that data are available to authorized users when they need them. Availability includes the “denial of service” of a system, as occurs when a system is not functioning in accordance with its intended purpose. Availability is closely related to integrity because “denial of service” may be caused by unauthorized destruction, modification, or delay of service as well. Database security cannot be seen as an isolated problem as it is influenced by the other components of a computerized system. The security requirements of a system are specified by means of a security policy that is then enforced by various security mechanisms. For databases, the security requirements can be classified in the following categories: 0
0
Identification, Authentication. Usually, before gaining access to a database, each user has to identify himself to the computer system. Authentication is a way of verifying the identity of a user at log-on time. Most of the common authentication methods are passwords but more advanced techniques like badge readers, biometric recognition techniques, or signature analysis devices are also available. Authorization, Access Controls. Authorization consists in the specification of a set of rules that declare who has a particular type of access to a particular type of information. Authorization policies, therefore, govern the disclosure and modification of information. Access controls are procedures that are designed to control authorization by limiting access to stored data to authorized users only.
DATABASE SECURITY
0
0
3
Integrity, Consistency. An integrity policy gives a set of rules (i.e., semantic integrity constraints) that define the correct states of the database during database operation and, therefore, can protect against malicious or accidental modification of information. Closely related issues are concurrency control and recovery. Concurrency control policies protect the integrity of the database in the presence of concurrent transactions. If these transactions do not terminate normally due to system crashes or security violations, recovery techniques may be used to reconstruct correct or valid database states. Auditing. The requirement to keep records of all security-relevant actions issued by a user is called auditing. The resulting audit records are the basis for further reviews and examinations in order to test the adequacy of system controls and to recommend changes in a security policy.
In this chapter our approach will not involve this type of broad perspective of database security. Instead, the main focus will be on aspects of authorization and access controls. This is a legitimate concern, since identification, authentication, and auditing’ normally fall within the scope of the underlying operating system and integrity and consistency policies are subject to the closely related topic of “semantic data modeling” or are dependent on the physical design of the database management system (DBMS) software, namely, the transaction and recovery manager. Because most research in database security has concentrated on the relational data model, the discussion in this chapter will focus on the framework of relational databases. However, the results described may generally be applicable to other database models as well. For an overall discussion on basic database security concepts consult the surveys by Jajodia and Sandhu (1990a), Lunt and Fernandez (1990), and Denning (1988). For references to further readings consult the annotated bibliography compiled by Pernul and Luef (1992). In the remainder of the opening section we briefly review the relational data model, introducing a simple example that will be used throughout the chapter, present the basic terminology used in computer security, and describe the most successful methods of penetrating a database. Because of the diversity of application domains for databases different security models and techniques have been proposed so far. In Section 2 we review, evaluate, and compare the most prominent examples of these security models and techniques. Section 3 contains an investigation of secure (trusted) database management systems. By a secure DBMS we understand special-purpose
’ However, audit records are often stored and examined by using DBMS software.
4
GUNTHER PERNUL
systems that support a level-based security policy and are designed and implemented with the main focus on the enforcement of high security requirements. Section 4 focuses on one of the major problems of levelbased security-related database research. In this section we address the problem of classifying the data stored in a database so that the security classifications reflect the security requirements of the application domain proper. What is necessary here is to have a clear understanding of all the security semantics of the database application and an appropriate clever database design. A semantic data/security model is proposed in order to arrive at a conceptualization and clear understanding of the security semantics of the database application. Database security (and computer security in general) is subject to many national and international standardization efforts. These efforts are aimed at developing metrics for evaluating the degree of trust that can be placed in the computer products used in the processing of sensitive information. In Section 5 we briefly review these proposals. In Section 6 we point out research challenges in database security and attempt to forecast the direction of the field over the next few years. Section 7 concludes the chapter.
1.1
The Relational Data Model Revisited
The relational data model was invented by Codd (1970) and is described in most database textbooks. A relational database supports the relational data model and must have three basic components: a set of relations, a set of integrity rules, and a set of relational operators. Each relation consists of a state-invariant relational schema RS(A 1 , '...,A,,), where each Ai is called an attribute and is defined over a domain dom(Ai).A relation R is a state-dependent instance of RS and consists of a set of distinct tuples of the form ( a l ,...,a,,), where each element ai must satisfy dom(Ai) (i.e., ai E dom(Ai)). Integrity constraints restrict the set of theoretically possible tuples (i.e., dom(A,) x dom(A2)x x dom(A,,))to the set of practically meaningful tuples. Let X and Y denote sets of one or more of the attributes Ai in a relational schema. We say Y is functionally dependent on X , written X + Y,if and only if it is not possible to have two tuples with the same value for X but different values for Y.Functional dependencies represent the basis of most integrity constraints in the relational model of data. Since not all possible relations are meaningful in an application, only those that satisfy certain integrity constraints are considered. From the large set of proposed integrity constraints two are of major relevance for security: the key property and the referential integrity property. The key property states
DATABASE SECURITY
5
that each tuple must be uniquely identified by a key and a key attribute must not have the null value. Consequently, each real-world event can be represented in the database only once. Referential integrity states that tuples referenced in one relation must exist in others and is expressed by means of foreign keys. These two rules are application-independent and must be valid in each relational database. In addition, many application-dependent semantic constraints may exist in different databases. Virtual-view relations (or views) are distinguished from base relations. While the former are the result of relational operations and exist only virtually, the latter are actually present in the database and hold the stored data. Relational operations consist of the set operations, a select operation for selecting tuples from relations that satisfy a certain predicate, a project operation for projecting a relation onto a subset of its attributes, and a join operation for combining attributes and tuples from different relations. The relational data model was first implemented as System R by IBM and as INGRES at U. C. Berkeley. The two projects provided the principal impetus for the field of database security research and also considerably advanced the field as well as forming the basis of most commercially available products. A few words on the design of a database are in order. The design of a relational database is a complicated and difficult task and involves several phases and activities. Before the final relation schemas can be determined a careful requirements analysis and conceptualization of the database is necessary. Usually this is done using a conceptual data model powerful enough to allow the modeling of all application-relevant knowledge. The conceptual model is used as an intermediate representation of the database and ultimately transferred into corresponding relation schemas. It is very important to use a conceptual data model at this stage since it is only with such a high-level data model that a database can be created that properly represents all the application-dependent data semantics. The de facto standard for conceptual design is the Entity Relationship (ER) approach (Chen, 1976) or any one of its variants. In its graphical representation and in simplest form ER regards the world as consisting of a set of entity types (boxes), attributes (connected to the boxes), and relationship types (diamonds). Relationship types are defined between entity types and are either of degree ( l : l ) , ( l : n ) , or ( n : m ) . The degree describes the maximum number of participating entities. Following is a short example of a relational database. This example will be used throughout the chapter. It is a very simple example yet sufficiently complex for presenting many of the security-relevant questions and demonstrating the complexity of the field. Figure 1 contains a conceptualization of the database in the form of an ER diagram and corresponding
6
GUNTHER PERNUL
(m, (m,
Employee Name, Dep. Salary) Project Subject. Client) Assignment (-N, Date, Function)
FIG. 1. Representations of a sample database.
relational schemas (key attributes are underlined, foreign keys are in italics). The database represents the fact that projects within an enterprise are carried out by employees. In this simple example there are three security objects. First, Employee represents a set of employees each of which is uniquely described by a characteristic SSN (Social Security Number). Next are Name (of employee), Department (in which the employee is working), and Salary (of employee). Second, Project refers to a set of projects carried out by the enterprise. Each project has an identifying Title, Subject, and Client. Finally, the security object Assignment contains the assignments of employees to projects. Each Assignment is characterized by the Date of the Assignment and the Function the employee has to perform while participating in the project. A single employee can be assigned to more than one project and a project may be carried out by more than one employee.
1.2 The Vocabulary of Security and Major Database Security Threats Before presenting the details of database security research it is necessary to define the terminology used and the potential threats to database security. As we have already pointed out, security requirements are stated by means of a security policy which consists of a set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. In general, a security policy is stated in terms of a set of security objects and a set of security subjects. A security object is a passive entity that contains or receives information. It might be a structured concept like an entire database, a relation, a view, a tuple, an attribute, an attribute value, or even a real-world fact represented in the database.
DATABASE SECURITY
7
A security object might also be unstructured, such as a physical memory segment, a byte, a bit, or even a physical device like a printer or a processor. Please note that the term “object” is used differently in other areas of computer science. In the present context, security objects are the target of protection. A security subject is an active entity, often in the form of a person (user) or process operating on behalf of a user. Security subjects are responsible for making changes in a database state and causing information to flow within different objects and subjects. Most of the sources of threats to database security come from outside the computing system. If the emphasis is mainly on authorization, users and processes operating on behalf of users must be subject to security control. An active database process may be operating on behalf of an authorized user who has legitimate access or it may be active on behalf of an unauthorized person who has succeeded in penetrating the system. In addition, an authorized database user may act as an “information channel” by passing restricted information to unauthorized users either intentionally or without the knowledge of the authorized user. Some of the most successful database penetration methods are the following: 0
0
0 0
0
0
Misuses of Authority. Improper acquisition of resources, theft of programs or storage media, modification or destruction of data. Logical Inference and Aggregation. Both deal with users authorized to use the database. Logical inference arises whenever sensitive information can be inferred by combining less sensitive data. It may also involve certain knowledge from outside the database system. Closely related to logical inference is the aggregation problem, wherein individual data items are not sensitive though a sufficiently large collection of individual values taken together is sensitive. Masquerade. A penetrator may gain unauthorized access by masquerading as an authorized user. Bypassing Controls. These might be password attacks or exploitation of system trapdoors that get around intended access control mechanisms. Trapdoors are security flaws built into the source code of a program by the original programmer. Browsing. A penetrator may circumvent the protection and search through a directory or read dictionary information in an attempt to locate privileged information. Unless strict need-to-know access controls are implemented, the browsing problem becomes a major flaw of database security. Trojan Horses. A Trojan horse is hidden software that tricks a legitimate user into performing, unknowingly, certain actions which he
a
GUNTHER PERNUL
0
0
is not aware of. A Trojan horse may be hidden into a sort routine and be designed to release certain data to unauthorized users. Whenever a user activates the sort routine, for example, the purpose of sorting the result of a database query, the Trojan horse will act, using the users identity, and thus will have all the privileges of the user. Covert Channels. Usually the information that is stored in a database is retrieved by means of legitimate information channels. In contrast to legitimate channels covert channels are paths that are not normally intended for information transfer. Such hidden paths may either be storage channels like shared memory or temporary files that could be used for communication purposes or timing channels like a degradation of overall system performance. Hardware and Media Attacks. Physical attacks on equipment and storage media.
The attack scenario described above is not restricted to databases. For example, the German Chaos Computer Club succeeded in attacking a NASA system via a masquerade, by bypassing access controls (taking advantage of an operating system flaw) and using Trojan horses to capture passwords. As reported by Stoll(1988), some of these techniques were also used by the Wily Hacker. The Internet worm in 1988 exploited trapdoors in electronic mail handling systems and infected more than 5,000 machines connected to the Internet network (Rochlis and Eichin, 1989). Thompson (1984), in his Turing Award Lecture, demonstrated a Trojan horse placed in the executable form of a compiler that permitted the insertion of a trapdoor in each program compiled with the compiler. It is generally agreed that the number of known cases of computer abuse is significantly smaller than the number of actual cases since in this area there is hidden a large number of figures.
2.
Database Security Models
Because of the diversity of application domains for databases, different security models and techniques have been proposed to counter various threats against security. In this section we will discuss the most prominent among them. Put concisely, discretionary security specifies the rules under which subjects can, at their discretion, create and delete objects, and grant and revoke authorizations for accessing objects to other individuals. In addition to controlling access, mandatory security (or protection) regulates the flow of information between objects and subjects. Mandatory security controls are very effective but suffer from several drawbacks. One attempt
DATABASE SECURITY
9
to overcome certain limitations of mandatory protection systems is the Adapted mandatory access control (AMAC) model, a security technique that focuses on the design aspect of secure databases. The Personal knowledge approach concentrates on enforcing the basic law of many countries stating the informational self-determination of humans while the Clark and Wilson model attempts to represent common commercial business practice in a computerized security model. Early efforts at comparing some of these techniques were those of Biskup (1990) and Pernul and Tjoa (1992). Landwehr (1981) is a very good survey of formal policies for computer security in general, and Millen (1989) focuses on various aspects of mandatory computer security.
2.1
Discretionary Security Models
Discretionary security models are fundamental to operating systems and DBMSs and have been studied for some time. There was a great deal of interest in theoretical aspects of these models in the period from 1970 to 1975. Since that time most relational database security research has been focused on other types of security techniques. The appearance of more advanced data models has, nevertheless, renewed interest in discretionary policies.
2.1.1 Discretionary Access Controls Discretionary access controls (DAC) are based on a collection of concepts, including a set of security objects 0, a set of security subjects S, a set of access privileges T defining the kinds of access which a subject has to a certain object, and, in order to represent content-based access rules, a set of predicates P . Applied to relational databases 0, a finite set of values lo1,..., o n )is understood to represent relation schemas, S is a finite set of potential subjects (s, , ...,s,,,] representing users, groups of users, or transactions operating on behalf of users. Access types (privileges) constitute a set of database operations, such as select, insert, delete, update, execute, grant, or revoke and the predicate p E P defines the access window of a subject s E S on object o E 0. The tuple ( 0 , s, t , p ) is called an access rule and a function f is defined to determine if an authorization f ( o ,s, t , p ) is valid or not: f :0x S x T x P (True, False). -+
For any (0,s, t , p ) , iff(o, s, t , p ) evaluates True, subjects has authorization t to access object o within the range defined by predicate p .
10
GQNTHER PERNUL
An important property of discretionary security models is the support of the principle of delegation of rights, where a right is the (0, t,p)-portion of the access rule. A subject si who holds the right ( 0 , t, p) may be allowed to delegate that right to another subject sj (i # j ) . Most systems supporting DAC store access rules in an access control matrix. In its simplest form the rows of the matrix represent subjects, the columns represent the objects, and the intersection of a row and column contains the access type that that subject has authorization for with respect to the object. The access matrix model as a basis for discretionary access controls was formulated by Lampson (1971) and subsequently refined by Graham and Denning (1972) and by Harrison et al. (1976). A more detailed discussion on discretionary controls in databases may be found in the book by Fernandez et al. (1981). Discretionary security is enforced in most commercial DBMS products and is based on the concept of database views. Instead of authorizing access to the base relations of a system, information in the access control matrix is used to restrict the user to a particular subset of the available data. There are two principal system architectures for view-based protection: query modification and view relations. Query modification is implemented in Ingres-style DBMSs (Stonebraker and Rubinstein, 1976) and consists of appending additional security-relevant qualifiers to a user-supplied query. View relations are unmaterialized queries which are based on physical base relations. Instead of authorizing access to base relations, users are given access to virtual view relations only. By means of qualifiers in the view definition security restrictions can be implemented. View relations are the underlying protection mechanism of System R-based DBMSs (Griffiths and Wade, 1976). 2.1.2 DAC-Based Structural Limitations Although quite common, discretionary models suffer from major drawbacks when applied to databases with security-critical content. In particular the following limitations are encountered: 0
Enforcement of Security Policy. DAC is based on the concept of ownership of information. In contrast to enterprise models, where the whole enterprise is the “owner” of the information and responsible for granting access to stored data, DAC systems assign ownership of the information to the creator of data items in the database and allow the creator the authority to grant access to other users. This has the disadvantage that the burden of enforcing the security requirements of the enterprise becomes the responsibility of the users themselves and can be monitored by the enterprise only at great expense.
DATABASE SECURITY
0
0
0
11
Cascading Authorization. If two or more subjects have the privilege of granting or revoking certain access rules to other subjects cascading revocation chains may ensue. As an example, consider subjects sl, s2, and s3,and an access rule (sl, o, t, p ) . Subject s2 receives the privilege (0, t , p ) from s1 and grants this access rule to s3.Later, s1grants ( 0 , t , p) again to s3 but s2 takes the privilege (0, t , p ) away from s3 for some reason. The effect of these operations is that s3 still has the authorization (from sl) to access object o by satisfying the predicate p and using privilege t even though subject s2 has revoked this authorization. This has the consequence that subject s2 is not aware of the fact that the authorization (s3,o, t, p ) is still in effect. Trojan Horse Attacks. In systems supporting DAC the identity of the subjects is crucial. If actions can be performed by one subject using another subject’s identity, DAC can be subverted. By a “Trojan horse” is understood software that grants a certain right ( 0 , t , p) held by subject si to subject sj ( i # j ) without the knowledge of subject s i . Any program that runs on behalf of a subject acts under the identity of this subject and, therefore, possesses all the DAC access rights of the subject’s processes. If a program contains a Trojan horse that has the functionality of granting access rules to other users, this feature cannot be restricted by discretionary access control methods. Updating Problems. View-based protection results in unmaterialized queries which have no explicit physical representation in the database. This has the advantage of providing a high level of flexible support to subjects with different views and automatic filtering out of all data a subject is not authorized to access though it has the disadvantage of making it impossible to update all the data through certain views. This feature is a result of integrity factors that might be violated in data not contained in the view once the data from the view are updated.
2.2
Mandatory Security Models
Mandatory policies address a higher level of threat than do discretionary policies since, in addition to controlling access to data, they control the flow of data as well. Moreover, mandatory security techniques do not suffer from the structural limitations of DAC-based protection.
2.2.1 Mandatory Access Controls Whereas discretionary models are concerned with defining, modeling, and enforcing access to information, mandatory security models are, in addition, also concerned with the flow of information within a system.
12
GUNTHER PERNUL
Mandatory security requires that security objects and subjects be assigned certain security levels represented by a label. The label for an object o is called its classification (class(0))and a label for a subject s is called its clearance (cleafls)). The classification represents the sensitivity of the labeled data, while the clearance of a subject its trustworthiness to not disclose sensitive information to others. A security label consists of two components: a level from a hierarchical list of sensitivity levels or access classes (for example: top-secret > secret > confidential > unclassified) and a member of a nonhierarchical set of categories, representing classes of object types of the universe of discourse. Clearance and classification levels, are totally ordered, while the resulting security labels are only partially ordered; thus, the set of classifications forms a lattice. In this lattice security class c1 is comparable to and dominates (2)security class c2 if the sensitivity level of c1 is greater than or equal to that of c2 and if the categories in c, contain those in c, . Mandatory security grew out of the military environment where the practice is to label information. However, this custom is also common in many companies and organizations where labels such as “confidential” or “company confidential” are used. Mandatory access control (MAC) requirements are often stated following Bell and LaPadula (1976) and formalized in the following two rules. The first (simple property) protects the information of a database from unauthorized disclosure, and the second (*-property) protects data from contamination or unauthorized modification by restricting the information flow from high to low: 1. Subject s is allowed to read data item d if clear(s) 1 class(d). 2. Subject s is allowed to write data item d if cleafls) Iclass(d). A few final remarks on MAC policies are in order. In many discussions confusion has arisen concerning the fact that in mandatory systems it is not enough to have stringent controls over who can read which data. Why is it necessary to include stringent controls over who can write which data in systems with high security requirements? The reason is that a system with high security needs must protect itself against attacks from unauthorized as well as from authorized users. There are several ways authorized users may disclose sensitive information to others. This can happen by mistake, as a deliberate illegal action, or the user may be tricked into doing so by a Trojan horse attack. The simplest way in which information is disclosed by an authorized user occurs when information is retrieved from a database, copied into an “owned” object, and the copy then made available to others. To prevent an authorized user from doing so, it is necessary to control his ability to make copies (which implies the writing of data). In particular,
DATABASE SECURITY
13
once a transaction has successfully completed a read attempt, the protection system must ensure that no write to a lower-security level (write-down) could occur caused by a user who is authorized to execute a read transaction. As read and write checks are both mandatory controls, a MAC system successfully protects against attempts to copy information and grant copies to unauthorized users. By not allowing higher classified subjects the capability to “write-down” on lower classified data, the information flow among subjects with different clearances can be efficiently controlled. Inasmuch as covert storage channels require writing to objects, the *-property also helps limit leakage of information along such hidden paths. Mandatory integrity policies have also been studied. Biba (1977) has formulated an exact mathematical dual of the Bell-LaPadula model with integrity labels and two properties: no write-up in integrity and no readdown in integrity. This is, low-integrity objects (including subjects) are not permitted to contaminate objects of higher integrity, or, in other words, no resource is permitted to depend upon other resources unless the latter are at least as trustworthy as the former. As an interesting optional feature, mandatory security and the BellLaPadula (BLP) paradigm may lead to multilevel databases. These are databases containing relations which appear to be different to users with different clearances. This is accomplished by application of two policies, first by not allowing all clearances to authorize all subjects to all the data, and, second, by the fact that the support of MAC may lead to polyinstantiation of attributes or tuples. We will discuss polyinstantiation and the multilevel relational data model in more detail in the next subsection.
2.2.2 The Multilevel Secure Relational Data Model In this subsection we will define the basic components of the multilevel secure (MLS) relational data model. We will consider the most general case, i.e., the case in which an individual attribute value is subject to a security label assignment. We start by using the sample database scenario from the Introduction. Throughout the text, whenever the example is being referred the existence of four sensitivity levels, denoted TS, S, Co, and U (where TS > S > Co > U),and only one category is assumed. In each relational schema TC is an additional attribute and contains the tuple classification. Consider the three different instances of the relation “Project” given in Fig. 2. Figure 2(a) corresponds to the view of subject s with clear@) = S. Because of the simple property of BLP (read-access rule), users cleared at U see the instances of Project shown in Fig. 2(b). In this case the simple property of BLP automatically filters out data that dominate U.Consider further a subject s with clear@) = U and an insert operation in which the
14
GUNTHER PERNUL
’Title
Subject
Cliziit
IC
Alpha, S
Developmelit, S
A. S
S
Bela, U
Research. S
B, S
S
Celsius, 11
I’rocluctioii, 11
C, IJ
U
Chit
TC
Title
(a) Project s
TillC
Czlsiiir, IJ
Siiliject
I’raliiclioii, I J
C, IJ
(h) Project LJ Fra. 2. Instances of MLS relation “Project”.
user wishes to insert the tuple (Alpha, Production, 0)into the relation shown in Fig. 2(b). Because of the key integrity property, a standard relational DBMS would not allow this operation. (Although not seen by user s, as a key Alpha already exists in Project.) However, from a security point of view, the insert must not be rejected because otherwise there will be a covert signalling channel from which s may conclude that sensitive information he is not authorized to access may exist. The outcome of the operation is shown in Fig. 2(c) and consists of a polyinstantiated tuple in the MLS relation Project. A similar situation occurs if a subject cleared for the U-level updates (Beta, null, null) in Project as shown in Fig. 2(b) by replacing thc null values with certain data items. Again, this leads to polyinstantiation in Project. As another example of polyinstantiation, assume that subjects with cleur(s) = S wishes to update (Celsius, Production, C ) . In systems supporting MAC such an update is not allowed because of the *-property of BLP so as to prevent an undesired information flow between subjects cleared at the S-level to subjects cleared at the U-level. Thus, if an S-level subject wishes to update the tuple, the update again must result into polyinstantiation. The problem of polyinstantiation arises out of the need to avoid a covert channel. Lampson (1973) has defined a covert channel as a means of downward information flow. As an example let us consider the situation just described once again. If an insert operation initiated by some subject is rejected because of the presence of a tuple at a higher level, the subject
DATABASE SECURITY
15
might be able to infer the existence of that tuple, resulting in a downward information flow. With respect to security much more may happen that just inferring the presence of a tuple. The success or failure of the service request, for example, can be applied repeatedly to communicate one bit of information (0: failure, 1: success) to lower level. Therefore, the problem is not only that of inferring a classified tuple, moreover, any information visible at the higher level can be sent through a covert channel to the lower level. The theory of most data models is built around the concept that a real-world fact may be represented in a database only once. Because of polyinstantiation, this fundamental property is no longer true for MLS databases, thus requiring the development of a new theory. The state of development of MLS relational theory has been considerably advanced by research in the SeaView project (see Denning et al., 1988 or Lunt et al., 1990). The following discussion of the theoretical concepts underlying the MLS relational data model is based principally on the model developed by Jajodia and Sandhu (1991a). In the Jajodia-Sandhu model, each MLS relation consists of a stateinvariant multilevel relational schema RS ( A , C1, ...,A , , C, ,T C ) , where each A , is an attribute defined over a domain dom(A,), each Ci is a classification for A , , and TC is the tuple-class. The domain of C, is defined by [ L , ,H i ] which is a sublattice consisting of all security labels. The resulting domain of TC is [IublL,,i = 1 . ~ ~lub(H,, 1, i = l..n]], where lub denotes the least-upper-bound operation in the sublattice of security labels. In the Jajodia-Sandhu model TC is included but is an unnecessary attribute. A multilevel relation schema corresponds to a collection of statedependent relation instances R , one for each access class c. A relation instance is denoted by R, ( A , , C , , . . ., A , , C , , TC) and consists of a set of distinct tuples of the form ( a , , c,, . . ., a,, c,, tc), where each a, E dom(Ai), c 2 c i , c, E [Li, H , ] , and tc = lub(ci,i = 1 . ~ 1 We . use the notion t [ A , ]to refer to the value of attribute A , in tuple t while t [ C , ] denotes the classification of A , in tuple t . Because of the simple-property of BLP, t [ A is visible for subjects with clear(s) 2 t [ C , ] ;otherwise t [ A , ]is replaced with the null value. The standard relational model is based on two core integrity properties: the key property and the referential integrity property. In order to meet the requirements for MLS databases, both have been adapted and two further properties have been introduced. In the standard relational data model a key is derived by using the concept of functional dependencies. In the MLS relational model such a key is called an apparent key. Its notion has been defined by Jajodia et al. (1990). For the following we assume that
,
16
GUNTHER PERNUL
RS (Al, C , , ...,A,, C,, TC) is an MLS relational schema and that A (A E ( A , ...,A,)) is the attribute set that forms its apparent key. [MLS integrity property 11: Entity integrity. An MLS relation R satisfies entity integrity if and only if for all instances R, and t E R, the following conditions hold: 1. Ai E A =$ t[Ai]# null 2. A i , A j E A * t [ C i ] = t[Cj] 3. A i ct A =$ t[Ci] 2 t[CA] (C, is the classification of key A). Entity integrity states that the apparent key may not have the null value, and must be uniformly classified, and that its classification must be dominated by all the classifications of the other attributes. [MLS integrity property 21: Null integrity. R satisfies null integrity if and only if for each R, for R the following conditions hold: 1. For every t E R,, t[Ai] = null * t[Ci] = t[CA] 2. R, is subsumption free, i.e., it does not contain two distinct tuples such that one subsumes the other. A tuple t subsumes a tuple s, if for every attribute A i , either t [ A i yCi] = s [ A i ,Ci] or t [ A i ]# null and s[Ai]= null. Null integrity states that null values must be classified at the level of the key and that for subjects cleared for higher security classes, null values visible to lower clearances are replaced by the proper values automatically. The next property deals with consistency between the different instances R, of R. The inter-instance property was first defined by Denning et al. (1988) within the SeaView framework, later corrected by Jajodia and Sandhu (1990b) and later again included in SeaView by Lunt et al. (1990). [MLS integrity property 31: Inter-instance integrity. R satisfies the interinstance integrity if for all instances R, of R and all c' < c, a filter function 0 produces R,, . In this case R,, = o(R,,c') must satisfy the following conditions: 1. For every t E R, such that t[C,] Ic' there must be a tuple t' with t ' [ A ,C,] = t [ A ,C,] and for Ai ct A
t'[Ai, Ci]=
E R,,
I
if t[Ci] I c' t [ A i ,Ci] (null, f[CA])otherwise.
2. There are no additional tuples in R,, other than those derived by the above rule. R,, is made subsumption free.
DATABASE SECURITY
17
The inter-instance property is concerned with consistency between relation instances of a multilevel relation R. The filter function ci maps R to different instances R, (one for each c’ < c). Through the use of filtering a user is restricted to that portion of the multilevel relation for which the user is cleared. If c’ dominates some security levels in a tuple but not others, then during query processing, the filter function ci replaces all attribute values the user is not cleared to see by null values. Because of this filter function a shortcoming arises in the Jajodia-Sandhu model which was pointed out by Smith and Winslett (1992). Smith and Winslett state that ci introduces an additional semantics for nulls. In the Jajodia-Sandhu model a null value can now mean “information available but hidden” and this null value cannot be distinguished from a null value representing the semantics, “value exists but not known” or a null value with the meaning “this property will never have a value.” In a database all kinds of nulls may be present and at a certain security level it may be difficult for subjects to say what should be believed at that level. Let us now draw our attention to polyinstantiation. As we have seen in the example given earlier, polyinstantiation may occur in a number of different occasions, for example, when a user with low clearance attempts to insert a tuple that already exists with higher classification, or when a user wishes to change values in a lower classified tuple. Polyinstantiation may also occur because of a deliberate action in the form of a cover story, where lower cleared users should not be supported with the proper values of a certain fact. Some researchers state that the use of polyinstantiation to establish cover stories is a bad idea and should not be permitted. However, if supported, it may not occur within the same access class.
[MLS integrity property 41: Polyinstantiation integrity. R satisfies polyinstantiation integrity if for every R, and each attribute A ; , the functional dependency A C; --* A; (i = l..n) holds. Property 4 states that an apparent key A and the classification of an attribute correspond to one and only one value of the attribute, i.e., polyinstantiation may not occur within a single access class. In many DBMSs supporting a MLS relational data model, multilevel relations exist only at the logical level. In such systems multilevel relations are decomposed into a collection of single-level base relations which are then physically stored in the database. Completely transparent multilevel relations are constructed from these base relations upon user demand. The reasons underlying this approach are mainly practical in nature. First, fragmentation of data based on the sensitivity of the data is a natural and
18
GUNTHER PERNUL
intuitive solution to security and, second, available and well-accepted technology may be used for implementation of MLS systems. In particular, the decomposition approach has the advantage of not requiring extension of underlying trusted computing base (TCB) to include mandatory controls on multilevel relations, which means that the TCB can be implemented with a small amount of code. Moreover, it allows DBMS to run mainly as an untrusted application on top of the TCB. We will come back to this issue in Section 3 in a discussion of different implementations of trusted DBMSs.
2.2.3 MAC-Based Structural Limitations Although more restrictive than DAC models, MAC techniques require certain extensions in order to be applied to databases in an efficient way. In particular, the following drawbacks in multilevel secure databases and mandatory access controls based on BLP represent structural limitations: 0
0
0
Granularity of the Security Object. It is not yet agreed what should be the granularity of labeled data. Proposals range from protecting whole databases, to protecting files, protecting relations, attributes, or even certain attribute values. In any case, careful labeling is necessary since otherwise inconsistent or incomplete label assignments could result. Lack of an Automated Security Labeling Technique. Databases usually contain a large collection of data and serve many users, and in many civil applications the labeled data are not available. This is why manual security labeling is necessary though it may also result in an almost endless process for large databases. Therefore, support techniques are needed, in the form of guidelines and design aids for multilevel databases, tools to help in determining relevant security objects, and tools that suggest clearances and classifications. N-persons Access Rules. Because of information flow policies, higher cleared users are restricted from writing-down on lower classified data items. However, organizational policies may require that certain tasks be carried out by two or more persons (four-eyes principle) having different clearances. As an example, consider subjects sl, s, with clear(s,) > clear(s,), data item d with class(d) = clear@,) and a business rule that specifies that writing s2 on d requires the approval of s1 . Following Bell-LaPadula’s write-access rule it would be necessary for s1 and s2 to have the same level of clearance. This may be inadequate in business applications of MLS database technology.
DATABASE SECURITY
2.3
19
The Adapted Mandatory Access Control Model
The principal goals of the Adapted Mandatory Access Control (AMAC) model are to adapt mandatory access controls to better fit general-purpose data processing practice and to offer a design framework for databases containing sensitive information. In order to overcome the MAC-based limitations discussed earlier, AMA C offers several features that assist the database designer in performing the different activities involved in designing a database containing sensitive information. AMA C has the following advantages when used as a security technique for databases: 0
0
0
0
The technique supports all phases of the database design process and can be used to construct discretionary-protected as well as mandatoryprotected databases. If mandatory protection is required, a supporting policy for the purpose of deriving database fragments as the target of protection is provided. This responds to concerns regarding the granularity of security objects in multilevel systems. If mandatory protection is required, automated security labeling of security objects and subjects is supported. Automated labeling leads to candidate security labels that can be refined by a human security administrator if necessary. This overcomes the limitation that labeled data often is not available. In AMAC security is enforced through the use of database triggers and thus can be fine-tuned to meet application-dependent security requirements. For example, the n-eyes principle may be supported in some applications but not in others where information flow control is a major concern of the security policy.
We will first give a general overview of the AMAC technique followed by a more formal discussion and an example.
2.3. I
AMAC General Overview
Adapted mandatory security belongs to the class of role-based security models which assume that each potential user of the system performs a certain role in the organization. Based on their role users are authorized to execute specific database operations on a predefined set of data. The AMAC model covers not only access control issues; it also includes a database design environment with the principal emphasis on the security of the databases which are produced. These databases may be implemented in DBMSs that support DAC exlusively or in DBMs that support both DAC and MAC. The technique combines well known and widely accepted
20
GUNTHER PERNUL
concepts from the field of data modeling with concepts from the area of data security research. In AMAC the following are the design phases for security-critical databases: 1. Requirements Analysis and Conceptual Design. Based on the role which they perform in the organization potential users of a database may be classified into a number of different groups whose data and security requirements may differ significantly. The Entity-Relationship (ER) model and its variants serve as an almost de facto standard for conceptual database design and have been extended in AMAC to model and describe security requirements. The security and data requirements of each role performed in an organization are described by the individual ER schemas and form the view (perception) which each user group has of the enterprise data. Note that in this setting the notion of a view embraces all the information which a user performing a certain role in an organization is aware of. This information includes data, security requirements, and functions. Thus, the notion of views here is different from its sense in a DAC environment. To arrive at a conceptualization of the whole information system as seen from the viewpoint of the enterprise, AMAC employs view-integration techniques in a further design step. The resulting conceptual database model is described by a single ER schema which is extended by security flags that indicate security requirements entailed by certain user roles. 2. Logical Design. In order to implement the conceptual schema into a DBMS a transformation from the ER schema to the data model supported by the DBMS in use is necessary. AMAC contains general rules and guidelines for the translation of ER schemas into the relational data model. The output of the transformation process is a set of relational schemas, global dependencies that are defined between schemas and are necessary for maintaining database consistency in the further design steps, and a set of views, which now describe the access requirements entailed by the relation schemas. If the DBMS that is to hold the resulting database is capable only of supporting DAC, the relational schemas become candidates for implementation and the view descriptors may be employed as discretionary access controls. If a particular DBMS supports MAC, further design activities are necessary. The Requirements Analysis, Conceptual and Logical Design phases in AMAC are described by Pernul and Tjoa (1991). 3. The AMACSecurity Object. In order to enforce mandatory security it is necessary to decide which security objects and security subjects are both subject to security label assignments. In AMAC a security object is a database fragment and a subject is a view. Fragments are derived using structured database decomposition and views are derived by combining
DATABASE SECURITY
21
these fragments. A fragment is the largest area of the database to which two or more views have access in common. Additionally, no view exists with access to a subset of the fragment only. Pernul and Luef (1991) developed the structured decomposition approach and the automated labeling policy. Their work includes techniques for a lossless decomposition into fragments and algorithms to keep fragmented databases consistent during database update. It should be noted that a database decomposition into disjoint fragments is a natural way of implementing security controls in databases. 4. Support of Automated Security Labeling. As in most applications labeled data is not available, AMAC offers a supporting policy for automated security labeling of security objects and security subjects. Automated labeling is based on the following assumption: The larger the number of users cleared to access a particular fragment, the lower the sensitivity of the data contained in the fragment and, thus, the lower the level of classification with which the fragment has to be provided. This assumption would appear to be valid, inasmuch as a fragment that is accessed by many users will not contain sensitive information and, on the other hand, a fragment that is accessible to only a few users can be classified as highly sensitive. Views (respectively, users having a particular view as their access window to data) are ordered based on the number of fragments they may access (are defined over) and, in addition, based on the classifications assigned to the fragments. In general, a view needs a clearance that allows corresponding users to access all the fragments which the view is defined over. A suggested classification class(F)applies to an entire fragmental schema F as well as all attribute names and type definitions for the schema, while a suggested clearance Clear( V) applies to all transactions executing on behalf of a user V. It should be noted that classifications and clearances are only candidates for security labels and may be refined by a human database designer if necessary. 5 . Security Enforcement. In AMAC fragments are physically stored and access to a fragment may be controlled by a reference monitor. Security is enforced by means of trigger mechanisms. Triggers are hidden rules that can be fired (activated) if a fragment is affected by certain database operations. In databases security-critical operations include the select (read-access), insert, delete, and update (write access) commands. In AMACselect triggers are used to route queries to the proper fragments, insert triggers are responsible for decomposing tuples and inserting corresponding sub-tuples into the proper fragments, and update and delete triggers are responsible for protecting against unauthorized modification by restricting information flow from high to low in cases that could lead to undesired information transfer. The operational semantics of AMAC data base operations and the construction of the select and insert triggers are outlined by Pernul (1992a).
22
GUNTHER PERNUL
2.3.2 Technical Presentation of A MAC. An Example In AMAC security constraints are handled in the course of database design as well as query processing. In the course of database design they are expressed by the database decomposition while during query processing they are enforced by trigger mechanisms. In the discussion which follows we will give the technical details of the decomposition process, the decomposition itself, the automated security-labeling process, and certain inegrity constraints that have to be considered in order to arrive at a satisfactorily fragmentation. In AMAC it is assumed that the Requirements Analysis is performed on an individual user group basis and that the view which each user group has of the database is represented by an ER model. The ER Model has been extended to cover, besides the data semantics, the access restrictions of the user group, The next design activity is view integration. View integration techniques are well established in conceptual database design and consist in integration of the views of individual user groups into a single conceptual representation of the database. In AMAC the actual integration is based on a traditional approach and consists of two steps: integration of entity types and integration of relationship types (Pernul and Tjoa, 1991). During the integration correspondences between modeling constructs in different views are established and, based on the different possible correspondences, the integration is performed. Following integration the universe of discourse is represented by a single ER diagram extended by the access restrictions for each user group. The next step is to transform the conceptual model into a target data model. AMAC offers general rules for the translation into the relational data model. The translation is quite simple and results into three different types of modeling constructs: relation schemas (entity-relations or ‘relationship-type relations), interrelational dependencies defined between relation schemas, and a set of view descriptors defined on relation schemas and representing security requirements in the form of access restrictions for the different user groups. In the relational data model user views have no conceptual representation. The decomposition and labeling procedure in AMAC is built around the concept of a user view, entailing a simple extension of the relational data model. Let RS(A TTR, LD) be a relational schema with ATTR a set of attributes [ A , , ..., A n ] . Each A i E ATTR has domain dom(Ai). LD is a set of functional dependencies (FDs) restricting the set of theoretically possible instances of a relation R with schema RS (i.e., x i d o m ( A i ) )to the set of semantically meaningful instances. A relation R with schema RS consists in
DATABASE SECURITY
23
a set of distinct instances (tuples) It, , ..., t,) of the form ( a , , ...,a,) where a, is a value within dorn(A,). Let RS,(ATTR, ,LD,) and RS,(A TTR, , LD,) be two relational schemas with corresponding relations R , and R , . Let X and Y denote two attribute sets with X E A TTR, and Y L A TTR, . The interrelational inclusion dependency (ID) R S , [ X ] G RS,[Y] holds if for each tuple t E R , exists at least one tuple t’ E R, and t [ X ] = t ’ [ Y ] .If Y is a key in RS,, the ID is called key-based and Y is said to be a foreign key in RS, . Let V = [ V l , ..., Vp] be a set of views. A view F (F E V, i = l..p) consists of a set of descriptors specified in terms of attributes and a set of conditions on these attributes. The set of attributes spanned by the view can belong to one or more relation schemas. View conditions represent the access restrictions of a particular user group on the underlying base relations. For each user group there must be at least one view. The concepts defined above serve as the basis of the AMAC conceptual start schema SS. SS may be defined by a triple SS(%, GD, V ) , where: %
=
(RSl(ATTR, ,L D , ) , ...,RS,(A TTR,, LD,)) is a set of relational schemas,
GD = (ID,, . ..,ID,) is a set of key-based IDS V
=
( V , , ..., V,) is a set of views
If protection is sufficient, the relational schemas are candidates for implementation in a DBMS, the views may be used to implement contentbased access controls, and the set GD of global dependencies may be associated with an insert rule, a delete rule, and a modification rule in order to ensure referential integrity during database operation. If DAC is not sufficient and MAC has to be supported, it is necessary to decide which are the security objects and subjects and to assign appropriate classifications and clearances. In order to express the security requirements defined by means of the views, a decomposition of SS into single-level fragments is necessary. The decomposition is based on the derived view structure and results in a set of fragmental schemas in such a way that no view is defined over a subset of the resulting schema exclusively. A single classification is assigned to each fragmental schema and the decomposition is performed by means of a vertical, horizontal, or derived horizontal fragmentation policy. A vertical fragmentation (uf) results in a set of vertical fragments (F, , ..., F,) and is the projection of a relation schema RS onto a subset of its attributes. In order that the decomposition be lossless, the key of RS must be included in each vertical fragment. A vertical fragmentation (uf) R = (Fl , . . ., F,) of a relation R is correct if for every tuple t E R , t is the concatenation of ( v ,, ..., v,) with the vi tuple in F, (i = 1 ..r). (uf) is used
24
GUNTHER PERNUL
to express “simple” security constraint that restrict access to certain attributes. The effects of ( o f ) on an existing set of FDs have been studied by Pernul and Luef (1991) who showed that if R is not in 3NF (third normal form), some FDs might get lost in a decomposition. To produce a dependency-preserving decomposition in AMA C, Pernul and Luef suggested including virtual attributes (not visible to any user) and updating clusters in vertical fragments if a schema is not in 3NF. A horizontal fragmentation ( h f ) is a subdivision of a relation R with schema RS(ATTR, LD) into a subset of its tuples based on the evaluation of a predicate defined on RS. The predicate is expressed as a boolean combination of terms, with each term a simple comparison that can be established to be true or false. An attribute on which (hf)is defined is called a selection attribute. A (hf) is correct if every tuple of R is mapped into exactly one resulting fragment. Appending one horizontal fragment to another leads to a further horizontal fragment or to R again. (hf)is used to express access restristrictions based on the content of certain tuples. A derived horizontal fragmentation (dhf) of a relation Ri with schema RSi(ATTRi,LDi) is a partitioning of RSi produced by applying a partitioning criterion defined on RSj (i # j ) . (dhf) is correct if there exists a key-based ID of the form Ri [XIE Rj [ Y ] and each tuple t E Ri is mapped into exactly one of the resulting horizontal fragments. (dhf)may be used to express access restrictions that span several relations. A view 6 (F E V) defined on 3 represents the area of the database which a corresponding user group can access. Let F (F = F n 5 ) be a database fragment then F represents the area of the database to which two groups of users have access in common. If F = F\5, F is accessible only to users having view 6 as their interface to the database. In this case, F represents data which are not contained in 5 and, therefore, must not be accessible to the corresponding user set. From the point of view of a mandatory security policy a certain level of assurance must be given that users 5 are restricted from access to F. In AMAC this is produced by separation. For example, fragment (F\5 )is separated from fragment (F\6 )and fragment (6 n 5 ) even if all the fragments belong to the same relation. The construction of the fragments makes a structured database decomposition necessary. In addition, to support mandatory access controls, the access windows for the users is constructed in a multilevel fashion in which only the necessary fragments are combined to form a particular view. Let Attr( V )be the attribute set spanned by view V and let the subdomain SD(V[A])be the domain of attibute A valid in view V (SD(V[A])G Dom(A)).Two particular views 6 and 5 are said to be overlapping if
I
3 A ( A E A ttr( 6
n 5 ) and SD( F [A]) n SD( 5 [ A ] )# 0.
DATABASE SECURITY
25
Otherwise, and 5 are isolated. The process of decomposing 8 (8 = (RS,(ATTR, ,LD,), ...,RS,(A TTR,, LD,))) is performed for any two overlapping views and for each isolated view using the ( v f ) , (hf), and (dhf) decomposition operations. It results in a fragmentation schema FS = (FS,(attr,,Id,), ...,FS,(attr,, ld,)) and a corresponding set of fragments F (F = (F,, ...,F,)). If Ui A TTRi = Uj attrj (i = 1. .n,j = 1. .m), the decomposition is called lossless, and if U j LDi E Uj Idj (i = 1. .n,j = 1. .m), it is said to be dependency preserving. Note that (hf) or (dhf)may result in additional FDs. A fragmental schema FSj E FS is not valid if for any view V (3 c 4 ) ( V * V o 4).Here V * F denotes that users with view V have access to fragment F, while V e F means that F is not included in view V. To illustrate these concepts, we now apply the fragmentation policy to the example given in the Introduction. We assume that a Requirements Analysis has been performed and that the resulting ER model has been translated into the following start schema:
c
c,
SS = (8= (Employee ([SSN, Name, Dep, Salary), [SSN-Name, Dep, Salary)), Project ((Title, Subject, Client), (Title-Subject, Client)), Assignment ((Title, SSN, Date, Function), (Title, SSN-+Date,Function))], GD = (Assignment[Title]E Project[Title], Assignment[SSN] G Employee[SSN]], v = IV,, v2, v,, v4, V,))
The security policy of the organization requires that the following security conditions be represented: 0
0
0
0
View V, represents the access window for management of the particular organization. Users with view V, should have access to the entire database. VieTws V, and V3 represent users of the payroll department. Their requirements include access to Employee and Assignment. For V2 access to Employee is not restricted. However, access to the attribute Function should be provided only if Salary I100 for certain employees. Users V, should have access only to employees and their assignments if Salary I80. View V4 has access to Project. However, access to the attribute Client should not be supported if the subject of a project is “research.” View V5represents the view of users of the quality-control department. In order for these users to perform their duties, they must have access to all information related to projects with subject development i.e.,
26
GUNTHER PERNUL
1
Employee
1
Assienment
I
Project
(b) FIG. 3. Example of AMAC database decomposition. (a) Graphical representation of the view structure. (b) Structural decomposition.
to project data, assignment data, and data concerning assigned employees. Given these types of security requirements, construction of the fragmentation schema in AMAC is warranted. The security constraints fall into three different categories: simple constraints, which define a vertical subset of a relation schema, and content-based or complex constraints, which both define horizontal fragments of data. A (simplified) graphical representation of the corresponding view structure is given in Fig. 3(a). The view structure forms the basis of the decomposition. Because view V, spans the entire database, it does not produce any decomposition. View V, results in a derived horizontal fragmentation (dhf) of Assignment based on evaluation of the predicate p:Salary I100 defined on Employee. The decomposition is valid because of the existence of the key-based inclusion dependency between Employee and Assignment. For those tuples matching
27
DATABASE SECURITY
the condition in the second step, a vertical fragmentation (uf) is performed which splits attribute Function from the other attributes in the derived fragment. In Fig. 3(b) the outcome of this operation is shown as IF,, and IF22.Introducing view V3 results in a horizontal fragmentation (hf) of Employee (into IF3and IF,) and into a (dhf) of IF,. IF, is split into IF,, (assignment data of employees with salary below 80) and IF,, (assignment data of employees having a salary between 81 and 99). Again, this fragmentation is valid because of the existence of the key-based ID Assignment[SSN] S Employee[SSN]. Introducing view V, results in application of (hf) to Project and a further (uf)-decomposition splits attribute Client from projects having as Subject the value “research.” The result of the operations is given in Fig. 3(b) as the fragments F, and F, . Introducing view V, again entails several additional (hf) and (dhf) operations. Starting with “project” (hf) is performed on IF, resulting in F3 (holding projects with subject “development”) and F, (holding all other projects). The next step is (dhf)of Assignment, an operation that is necessary in order to find all assignment data that relates to projects having as subject “development.” Such data may be found in each intermediate fragment derived so far; thus, a total of four different (dhf)operations are necessary. A similar situation occurs with employee data. The final decomposition is given in Fig. 3(b) and consists of 16 different fragments. In order to support MAC it is necessary to determine the security objects and security subjects and to assign appropriate classifications and clearances. In AMAC (semi-) automated security label assignment is supported and based on the following assumption: A fragment accessed by numerous users cannot contain sensitive information, whereas a fragment that is accessed by only a few users may contain sensitive data. In AMAC such an assumption leads to assignment of a “low” classification level to the former type of fragment and a “high” classification to the latter type. On the other hand, views that access a large number of fragments or fragments assigned “high” classifications must have “high” clearances. In general, a view requires a clearance which allows appropriate users access to all fragments which the view is defined over. Let F = {F,, ...,F,J be a set of fragments and V = ( V , , ..., V,) a set of views defined on the database. Let a: F + P(V) be a mapping that assigns to a fragment the set of views having access to this fragment. By card-a(fi P( V)) we denote the cardinality of the set of views accessing the fragment, i.e., Ia(fi)l. Card-a(F, + P(V)) determines the level of classification that fragment & must be provided with. Let d: V P(F) be a mapping which associates with some view the set of fragments spanned by this view. By carddd(5 + P(F)) we denote the cardinality of the set of fragments which a user with view Vj has access to, i.e., ld(5)I. By applying +
+
28
GUNTHER PERNUL
a(F,) and d ( 5 ) to the example discussed earlier, we derive the following mappings: Mappings from fragments to views:
a(F6) = ( v l l ,
= lvll,
I vi KI, W
vi v41, W s ) = I vi VsI, dF8) = (vi v21, dF14 = 1v1 v21, 4F3) = Ivl,V4,v51, dF7) = (vl,V2,v51,dF9) = lvl,v2,~51, a(F12)= IVI * v 2 v3)9a(F13) = 1 v 1 v 2 ~ s I a(F16) , = v1, v 2 P V3I a(F11) = ( v l ,v2, v3, hI, a(Fi5 = 1V1,v2, v3, v51Mappings from views to fragments: @I)
=
9
= ( vl
4 ) 9
= (
9
v219
9
9
9
9
d(V1) = IF] F2 F3 F4 Fs F6 F7 F', F9 F1o F11 F12 Fi3 tFi4 Fi5 F161, 3
3
d(v2)
=
( F 7 , F8
d(v3)
=
lFll
9
9
9
9
F99 F I O , F1l
F12
d( v4) = IF1 F3
3
9
F15
3
3
Fl2, Fl3 F14, FIS F161,
F161,
9
d( VS) = IF3 F5 F7 ,F9 FI 1 ,F13 ,Flsl. Let us now order the fragments based on the assumption we have presented. The ordering defines the level of classification that has to be assigned to a fragment. Based on our assumption, we may derive the following dominance relationship between the classifications (assuming, to simplify the discussion, a uniform distribution of users among views): (c~uss(F~), ClUSS(F6)) > ( c~uss(FI),c~uss(F~), c~uss(F~), c~uss(F~), class(l[;,,), ~lass(F14)) > (c~uss(F~), c~uss(F~), c~uss(F~), c ~ u s s ( F ~c ~ u) ,s s ( F ~C~USS(Fl6)) ~), > lclass(Fll),class(F15)]. Furthermore, clear( V,) 1 (class(F,)),..., class(F16)), CleUr(v2) 1 (c~uss(F~), ...,ClUSS(Fl,)), clear( V3)1 Iclass(F1I), ...,class(F12), class(F15),c~ass(F16)), clear( V,) 1 (cluss(F,), class(F3), cluss(F4)), and clear( V,) 1 class(F3), class(F,), class(F7), class(F9), class(F,1), class(F,3 ) , class(F15)1.The security classifications are assigned based on the ordering of the fragments and are given in Fig. 4. The dominance relationship (d > c > b > a) holds for the levels. Structured decomposition results in the assignment of a classification label to each fragmental schema and a clearance to each user view. Thus, a fragmental schema can be denoted FS(attr, Id, c), which may be understood to mean that data contained in FS is uniformly classified by classification c. The process of structured decomposition and label assignment can be automated. The assigned security labels serve only as a suggestion to a human database designer, who can refine them as necessary. However, it is commonly agreed that if the number of different views is large, automated 9
9
9
29
DATABASE SECURITY
Ro. 4. Example of assigned classifications.
labeling will produce very satisfactory results. The outcome of the decomposition and the assigned classifications and clearances are maintained by three catalog relations: the Dominance Schema, the Data Schema, and the Decomposition Schema. Applied to the sample label assignment, means that based on the AMAC assumptions fragments F6 and F, describe the most sensitive area of the database. This seems a legitimate result, since F6 holds the attribute Function of assignments of employees that earn more than 100 if the assignment refers to a project with attribute Subject # “development” and if F, contains sensitive information stating the clients of projects having as subject “research.” Since only one group of users (V,) has access to both fragments, F, and F6 are assigned a classification that dominates all other classifications of the database and is dominated solely by cleu4Vl). On the other hand, fragments F,, and F,, are accessed by most of the views. The AMAC labeling assumption seems legitimate here, too, because both fragments describe nonsensitive data concerning employees and their assignments if the employee earns less than 80 and if the corresponding project has as subject “development.” In AMAC multilevel relations exist solely at a conceptual level. The access window for the users is constructed in a multilevel fashion so that only necessary fragments are combined to form a particular view. This is done in a way that is entirely transparent to the user, first, by filtering out fragments that dominate a particular user’s clearance and, second, by performing the inverse decomposition operation on the remaining fragments. This for ( v f ) represents a concatenation of vertical fragments (denoted (c)) and, for (hf) and (dhf), an append of horizontal fragments (denoted ( a ) ) . In the example we are considering, view V , and V, on Employee and Assignment can be constructed in the following way ((*) denotes the join operation): V1 V2
(Fl5(a>Fl6)(a)(Fl3(a>F,,)(*) ((Fs(a)F6)(c )(F7(a)FS))
F16)(a>(F1J(u>F,,)(*)
(F,(a>F,)(a>(F9ca>F,o)(~)(~l I(&FlZ)
2)
30
GUNTHER PERNUL
The conceptual multilevel relations look different to different users, depending on the view. For example, the relation Assignment consists of IF5, ...,F12]for users V,, of (F7, ...,F12)for users V,, and of [Fl,, F 1 2 ) only for users V, . Three catalog relations are necessary in AMAC in order to maintain the database decomposition, construct the multilevel relations, and control the integrity of the database: the Decomposition Schema, the Data Schema, (a) Dominance Schema
I View I Clear I
(b) Data Schema
Dominates
1
Attribute
Title Function SSN Title Function
Integrity Constraint SSN G F7WNI Title G F3[Titlel SSN C FgPSNI Title G FIITitlel u F,[Titlel
Function Title
Title L F3(Titlel
Function I
.I.
( c ) Decomposition Schema
FIG. 5 . AMAC catalog relations.
F6
DATABASE SECURITY
31
and the Dominance Schema. Figure 5 presents some of the catalog relations that result from decomposition of the sample database. 0
0
0
Decomposition Schema. The schema comprises a mapping of the decomposition structure into a flat table. Its contents are needed to reconstruct multilevel relations from single-level fragments. Dominance Schema. The schema is used to model the allocation from fragments to users. Whenever a user-supplied query attempts to access a multilevel relation, the system has to make certain that the access request does not violate the security policy of the organization. For example, if there is a rule which states that the user’s clearance must dominate the classification of the referenced data, this rule may be complemented using information from the Decomposition Schema and the Dominance Schema. Data Schema. The Data Schema contains the schema definitions of the fragments and the set of integrity conditions which must be valid for every tuple in the fragment. Update operations performed on tuples in horizontal fragments may lead to transfer of tuples to other horizontal fragments. This occurs if the update changes the value of a selection predicate to a value beyond the domain of this attribute in the fragment. If information from the data schema is used, it is always possible to determine the valid domain of the selection attributes in the fragments and to route tuples to the proper fragments in case an update or insert operation is performed.
So far we have shown how the security requirements can be expressed in AMAC during database design by means of structured decomposition. In
Pernul (1992a) it is shown how these requirements can be enforced during database operation by means of database triggers. Triggers are implemented in most DBMS-products and can be used to perform hidden actions without the user’s knowledge. Generally speaking, a trigger consists of two parts. The first part, the trigger definition, specifies when the trigger should be invoked, while the second part, the trigger action, defines the actions which the trigger is to perform. We see triggers as an alternative way of implementing a security policy. In the following discussion we will specify the simple security property (read access) of BLP by means of a select trigger. Similar triggers have been developed by Pernul(1992a) for the insert statement (write access) and have been outlined for the update and delete statements. In what follows, assume that a user having clearance C has logged on to the system. Based on the information of the Dominance Schema, a set of security classifications (cl, ..., c,) with C 2 ( c , , ..., c,) may be derived. Any process operating on
32
GUNTHER PERNUL
behalf of the user that attempts to access any fragment with schema FS(attr, Id, c’) and c’ ct (q,...,c,] will not be properly authorized and, thus, the corresponding fragments will not be affected by operations performed by the C-level user. Because of security reasons, database fragmentation must be completely transparent to the users and users must be supported with the name of the base relations even if they are authorized to access a subset of a multilevel relation only. Read access is performed by means of a Select statement which has the following form: SELECT attribute list FROM base relations WHERE p Every query contains as parameter the user’s identification and the set of references base relations. Every multilevel base relation has assigned to it triggers which are executed when the base relation is affected by a corresponding operation. As an example consider the definition of a Select trigger as specified below. Here, %X denotes a parameter, the keyword DOWN-TO represents the transitive closure of the base relation (i.e., the set of fragments resulting from a base relation). The trigger implements the simple security property of BLP. CREATE TRIGGER S e l e c t - T r i g g e r ON e a c h - b a s e - r e l a t i o n FOR SELECT A S BEGIN d e c l a r e @ d o m i n a t e s , @ c l a s s i f i c a t i o n SELECT @domi nates=SELECT Domi n a t e s FROM Dominance Schema WHERE View=%V SELECT @ c l a s s i f i c a t i o n = S E L E C T C l a s s From D e c o m p o s i t i o n Schema WHERE P a r e n t = % s p e c i f i e d - b a s e - r e l a t i o n DOWN-TO each-resul t ing-fragment I F @dominatesn@cl a s s i f i c a t i o n 2 0 THEN p e r f o r m q u e r y f o r each e l e m e n t I N ( a d o m i n a t e s n @c l a s s i f i c a t i o n ) ELSE P r i n t ‘Base r e l a t i o n n o t known t o t h e system’ Rollback Transaction END S e l e c t l r i g g e r
As an example consider a user belonging to class V, who wishes to know the names of all the employees and their function is assigned projects. Note that users with view V, should be prevented from accessing data concerning employees who earn more than 80. The user issues the following query: SELECT Name, F u n c t i o n FROM Employee, Assignment WHERE Employee.SSN=Assignment.SSN
DATABASE SECURITY
33
Applied to this example the clearance assigned to users with view V3 @dominates = ( a 1 ,a2,b4,b6J,@classification[d2, d 3 , d 4 , d,, c6, b 2 , b 3 , b4, bS,b6,a , , a2), and @dominates fl @classification = ( a l ,a,, b4,b6]. Thus, the query is automatically routed to the corresponding fragments F,, , F I 2 ,F l s , and F16 and, based on the information of the Decomposition Schema, V3can be constructed by means of the inverse decomposition operation, i.e., V3 (F,, ( a ) F16)(*) (Fll( a ) F12).The outcome of the Select operation is in accordance with the simple security property of BLP. +
2.4 The Personal Knowledge Approach The personal knowledge approach is focused on protecting the privacy of individuals by restricting access to personal information stored in a database or information system. The model serves as the underlying security paradigm of the prototype DBMS Doris (Biskup and Briiggemann, 1991). The main goal of this security technique is to ensure the right of individuals as regards informational self-determination now part of the laws of many countries. In this context, the notion of privacy can be summarized as asserting the basic right of an individual to choose which elements of his or her private life may be disclosed. In the model, all individuals, users as well as security objects, are represented by an encapsulated person-object (in the sense of objectoriented technology). The data part of a person-object corresponds to the individual knowledge of himself or herself and his or her relationship to other persons. The operation part of a person-object corresponds to the possible actions which an individual may perform. The approach is built on the assumption that a person represented in a database has complete knowledge of himself or herself and that if he or she wishes to know something about someone else represented in the database, that person must first be asked. Knowledge of different persons cannot be stored permanently and, therefore, must be requested from the person each time information is requested. In an effort to achieve this lofty goal, the personal knowledge approach developed by Biskup and Briiggemann (1988, 1989) combines techniques of relational databases, object-oriented programming, and capability-based operating systems. More technically, it is based on the following constructs: Persons. A person-object represents either information concerning an individual about whom data is stored in the information system or represents the actual users of the system. Each person is an instance of a class, called group. Groups form a hierarchy and, in accordance with object-oriented concepts, a member of a group has the components of the group
34
GUNTHER PERNUL
as well as inherited components from all its supergroups. More technically, an individual person-object is represented by an NF2-tuple (con-firstgormal-form, i.e., it may have nonatomic attribute values) with entries of the following form: t (Surrogate, Knows, Acquainted, Alive, Available, Remembers) where 0 0
0 0
0 0
Surrogate is a unique identifier which is secretly created by the system Knows is application dependent and organized as a relation with set of attributes ( A , , ...,A,,]; it represents the personal knowledge of the person-object Acquainted is a set of surrogates representing other person-objects of which the person is aware Alive is a boolean value Available contains the set of rights which the person has made available to others Remembers contains a set of records describing messages which have been sent or received
Each person is represented as an instance of a group. All persons in a group have the same attributes, operations, roles, and authorities. The operation part of an object consists of system-defined operations which are assigned to groups. Examples of common system-defined operations are ‘create’ (creates a new instance of a group); ‘tell’ (returns the value of the attribute Knows); ‘insert’, ‘delete’, and ‘modify’ (transform Knows); ‘acquainted’ (returns the value for Acquainted), and others.
Communication between Acquainted Objects. Persons are acquainted with other persons. A person individually receives his or her acquaintances by using the operation ‘grant’. The set of acquaintances of a person describes the environment of this person and denotes the set of objects which the person is allowed to communicate with. Communication is performed by means of messages that may be sent from a person to his or her acquaintances in order to query their personal knowledge or to ask that an operation be performed, for example, to that knowledge be updated. Roles and Authorities. Depending on the authority of the sender, the receiver of a message may react in different ways. The authority of a person with respect to an acquaintance is based on the role which the person is currently performing. While the set of acquaintances of a person may change dynamically, authorities and roles are statically declared in the system. When a person-object is created as an instance of a group, it receives the authorities declared in this group and in all its supergroups.
DATABASE SECURITY
35
Auditing. Each person remembers the messages the person is sending or receiving. This is established by adding all information about recent queries and updates together with the authorities available at that time to the ‘knowledge’ (attribute Remembers) of the sender and receiver personobject. Based on this information, auditing can be performed and all transactions traced by just ‘asking’ the affected person. Security (privacy) enforcement following the personal-knowledge approach is based on two independent features. First, following login each user is assigned as instance a person-object type and, thus, assumes individually received acquaintances and statically assigned authorities as roles. Second, whenever a user executes a query or an update operation, the corresponding transaction is automatically modified in such a way that resulting messages are sent only to the acquaintances of the person. Summarizing, the personal-knowledge approach is fine-tuned to meet the requirements of informational self-determination. Thus, it is the preferable approach as the underlying security paradigm for database applications in which information about individuals which is not available to the public is maintained, for example, in hospital information systems or databases containing census data.
2.5 The Clark and Wilson Model This model was first summarized and compared to MAC by Clark and Wilson (1987), who claimed that their model was based on concepts already well established in the pencil-and-paper office world. These concepts include the notion of security subjects, (constraint) security objects, a set of well-formed transactions, and the principle of separation of duty responses. If we transfer these principles to the database and security world, they assume the following interpretation: Users of a system are restricted to execute on solely of a certain set of transactions which are permitted to them, and each transaction operates solely on an assigned set of data objects. More precisely, the Clark and Wilson approach may be interpreted in the following way: 1. Security subjects are assigned to roles. Based on the role which they play in an organization, users have to perform certain functions. Each business role is mapped into database functions and, ideally, at a given time, a particular user is playing only one role. A database function corresponds to a set of (well-formed) transactions that are necessary for users acting in a particular role. In this model it is essential to state which user is acting in which role at what time and, for each role, what transactions have to be carried out. To control against unauthorized disclosure
36
GUNTHER PERNUL
and modification of data, Clark and Wilson proposed that access be permitted only through execution of certain programs and well-formed transactions, and that the rights of users to execute such code be restricted based on the particular role a user is acting. 2. Well-formed transactions. A well-formed transaction operates on an assigned set of data. It is necessary to ensure that all the relevant security and integrity properties are satisfied. In addition, a well-formed transaction must provide logging and atomicity as well as serializability of the resulting subtransactions in such a way as to enable the construction of concurrency and recovery mechanisms. It is important to note that, in this model, data items referenced by transactions are not specified by the user implementing the transaction. Rather, data items are assigned depending on the role which the user is enacting. Thus, the model does not allow ad hoc database queries. 3. Separation of duty. This principle requires assigning to each set of users a specific set of responsibilities based on the role the user enacts in the organization. The only way for a user to access data in the database is through an assigned set of well-formed transactions specific to the role which the particular user enacts. In those cases in which a user requires additional information, another user (cleared at a higher level) acting in a separate role must implement a well-formed transaction from the transaction domain of the role he is enacting in order to grant the initial user temporary permission to execute a larger set of well-formed transactions. Moreover, the roles have to be defined in such a way as to make it impossible for a single user to violate the integrity of the system. For example, the design, implementation, and maintenance of a well-formed transaction must be assigned to a different role than execution of the transaction. A first attempt to implement the concept of a well-formed transaction was that of Thomsen and Haigh (1990). The authors compared the effectiveness of two mechanisms for implementing well-formed transactions, Lock-type enforcement (see Subsection 3.2) and the Unix s e t u id mechanisms. With type enforcement, accesses of user processes to data can be restricted based on the domain of the process and the type of data. s e t u i d and s e t g id features allow a user who is not owner of a file to execute commands in the file with the owner’s permission. Although Thomsen and Haigh concluded that both mechanisms are suitable for implementing the Clark and Wilson concept of a well-formed transaction, no further studies or implementation projects are known. The Clark and Wilson model has drawn considerable interest in recent years. However, though it seems quite promising at first glance, it is still
DATABASE SECURITY
37
lacking, we believe, detailed and thorough investigation. In particular, the only potential threats to the security of a system which were addressed were penetration of data by authorized users, unauthorized actions by authorized users, and the abuse of privileges by authorized users. As noted early in our discussion, this represents only a subset of the required functionality of the mandatory security features of a DBMS.
2.6
A Final Note on Database Security Models
In this section we have discussed different approaches towards the representation of database security. In concluding the section, we wish to note that although the models differ significantly, all of the approaches which we have discussed have their own raison d’6tre. The discretionary security approach may be the first choice if a high degree of security is not necessary. Keeping the responsibility to enforce security on the user’s side is sufficient only if potential threats against security would not result in great damage. Even if a central authority is responsible for granting and revoking authorizations, DAC-based protection may still be subject to Trojan horse attacks and cannot be recommended as a security technique in security-critical database applications. Mandatory policies are more effective as they entail users not having control over the creation and alteration of security parameters. In addition, a security policy suitable to a particular application may have both a mandatory and a discretionary component. Note, too, that real systems often allow for leaks on strict mandatory controls, for example, to privileged users, such as system administrators and security officers. Such back-door entry points often represent a serious source of vulnerability. Multilevel applications may become very complex. One way of countering this complexity would be to develop a conceptual representation of a multilevel database application. We will come back to this issue in Section 4, where a conceptual model for multilevel database security is introduced. Although very effective, mandatory policies can only be applied in environments where labeled information is available. We believe this is one of the strongest points in favor of the AMAC security model. AMAC offers a design environment for databases with principal emphasis on security. It includes discretionary as well as mandatory controls. However, the model suffers from a limited level of expressiveness. AMAC uses relational algebra to express security constraints which, for certain applications, may not be sufficiently expressive to specify sophisticated security constraints. We interpret the personal knowledge approach as a means of implementing discretionary controls. Permitting person-objects to decide whether to
38
GUNTHER PERNUL
respond to a query issued by another object seems to be a very effective way of maintaining the privacy of stored information. Privacy security may be an interesting alternative in applications where mainly personal information is maintained, for example in hospital information systems. The Clark and Wilson model has gained wide acceptance in recent years. Although at first glance it seems promising it is our belief that there is still a need for a detailed and thorough investigation because a number of major questions remain open. Many security-relevant actions are relegated to application programs; moreover, the model does not support ad hoc database queries. While we believe that most of the database security requirements could be expressed, this, however, would entail tremendous application development costs.
3. Multilevel Secure Prototypes and Systems Trusted systems are systems for which convincing arguments or proofs have been given to the effect that the security mechanisms are working as prescribed and cannot be subverted. A basic property of trusted systems is their size; these systems tend to be quite large in terms of the amount of code needed for their implementation. This is especially true of complex systems, for example, trusted database managements systems. A complete formal implementation proof of system specifications is still not possible using present-day technology, although a great deal of research on formal specification and verification is currently in progress. The enormous amount of code necessary is the reason for the very conservative approach taken by most trusted DBMSs in an effort to achieve a certain level of assurance through reuse and by building upon previously built and verified trusted system, in an approach known as TCB subsetting. A trusted computing base (TCB) refers to that part of a system which is responsible for enforcing a security policy; it may involve any combination of hardware, firmware, and operating system software. The term was defined in the Trusted Computer System Evaluation Criteria (TCSEC, 1985). The criteria defines seven levels of trust, which range from systems that have minimal protection features to those that provide the highest level of security which state-of-the-art security techniques may produce. TCSEC is not the only proposal put forward for the purpose of defining objective guidelines upon which security evaluations of systems may be based. We will review TCSEC and other proposals in Section 5 . TCB subsetting has been identified as a strategy for building trusted DBMSs in the Trusted Database Interpretation (TDI, 1990) of TCSEC. In this section we will discuss the most prominent projects which have had as
DATABASE SECURITY
39
their goal the design of systems that meet the requirements of the higher levels of trust as specified in TDI evaluation criteria. In order to obtain evaluation at higher levels of trust, a system must be supported by mandatory access controls. There have been three main efforts at designing and implementing trusted relational database systems, SeaView, which has been implemented at SRI; LDV in the Honeywell SCTC; and ASD at TRW. Besides these (semi-) academic prototypes, several vendors, including Ingres, Informix, Oracle, Sybase, Trudata, and others, have announced or already released commercial systems that support mandatory access controls. The systems differ not only in details, and, in addition, there is not even agreement as to what should be the granularity of the security object. For example, SeaView supports labeling at an individual attribute value level, LDV supports tuple-level labeling, and in ASD-Views the security object is a materialized view. Some commercial systems, moreover, enable support security labeling exclusively at the relation level or even the database level.
3.1 SeaView The most ambitious and exciting proposal aimed at the development of a trusted DBMS has come from the SeaView project (see Denning et al., 1987, or Lunt, 1990). The project was begun in 1987 and is a joint effort by Stanford Research Institute (SRI) International, Oracle, and Gemini Computers with the goal of designing and prototyping a multilevel secure relational DBMS. The most significant contribution of SeaView lies in the realization that multilevel relations must exist solely at a logical level and, moreover, may be decomposed into single-level base relations. These finding have a mainly practical import. In particular, single-level base relations can be stored using a conventional DBMS, while commercially available TCBs can be used to enforce mandatory controls with respect to single-level fragments. The architectural approach taken by the SeaView project was intended to implement the entire DBMS on top of the commercially available Gemsos TCB (Schell et ai.,1985). Gemsos provides user identification and authentication, maintenance of tables containing clearances, as well as a trusted interface for privileged security administrators. Multilevel relations are implemented as views over single-level relations. The single-level relations are transparent to the users and stored by means of the storage manager of an Oracle DBMS engine. From the viewpoint of Gemsos, every single-level relation is a Gemsos security object belonging to a certain access class. Gemsos enforces the mandatory security policy based on the Bell-LaPadula security paradigm. A label comparison is performed whenever a subject
40
GUNTHER PERNUL
attempts to bring a storage object into its address space. A subject is prevented from accessing storage objects not in the subject’s current address space by means of hardware controls that are included in Gemsos. In addition to mandatory controls, the SeaView security policy requires that no user be given access to information unless that user has been granted discretionary authorization to this information. DAC-based protection is performed outside Gemsos and allows users to specify which users and groups have authorization to specific modes of access to particular database objects, as well as which users and groups are explicitly denied authorization to particular database objects. Since a multilevel relation is stored as a set of single-level fragments, two algorithms are necessary: 1. A decomposition algorithm to break down multilevel relations into single-level fragments. 2. A recoveryformula to reconstruct an original multilevel relation from fragments. It is obvious that a recovery must yield identical results, otherwise the process of decomposition and recovery is incorrect. In SeaView, decomposition of multilevel relations into single-level relations is performed by means of vertical and horizontal fragmentation while recovery by performing union and join operations. For the following consider a conceptual multilevel relation R (A 1 , C , , ...,A , , C, ,TC) where each Ai is an attribute defined over a domain Di and each Ci a security class from a list (TS, S, Co, U),where TS > S > Co > U.We assume A l is the apparent primary key. The original SeaView decomposition algorithm (Denning et al., 1988) consists of three steps and can be outlined as follows: Step 1. The multilevel relation R is vertically partitioned into n projections R [A ,Cll,R2[A ,C1,A,, GI, ...,R,[A ,C1,A , ,GI. Step 2. Each Ri is horizontally fragmented into a single resulting relation for each security level. Obviously, for (TS, S, CoyU )this results in 4n relations. Step 3 . In a further horizontal fragmentation R,, ..., R, (Le., 4n - 4 relations) are further decomposed into at most four resulting relations. The final decomposition is necessary in order to support polyinstantiation. For this algorithm a performance study and worst-case analysis was performed by Jajodia and Mukkamala (1991) which demonstrated that a multilevel relation R (A,, C,, ..., A,, C,,TC) decomposes into a maximum of (10n - 6) single-level relations.
DATABASE SECURITY
41
The algorithm was subjected to extensive discussion in the scientific literature. Jajodia and Sandhu (1990b) pointed out that it leads to unnecessary single-level fragments. Moreover, performing a recovery of multilevel relations entails repeating joins that may lead to spurious tuples. As an alternative they proposed changing the polyinstantiation integrity property defined in the original SeaView data model by dropping the portion of the property that enforces multivalued dependency. Their suggestions led to a reformulation of the polyinstantiation integrity by Lunt et al. (1990). In a further proposal, Jajodia and Sandhu (1991b) presented a second algorithm that decomposes a multilevel relation into single-level fragments together with a new recovery algorithm which reconstructs an original multilevel relation. The recovery algorithm in this proposal improves earlier versions because, now, decomposition uses only horizontal fragmentation. Since no vertical fragmentations are required, it is possible to reconstruct a multilevel relation without having to perform costly join operations; only unions have to be processed. Recently, Cuppens and Yazdanian (1992) proposed a “natural” decomposition of multilevel relations based on a study of functional dependencies and an application of normalization whenever a decomposition of multilevel relations is attempted. As decomposition and recovery is crucial for SeaView performance it is expected that the subject of efficient decomposition techniques for fragmentation of multilevel relations into single-level fragments will remain a heavily discussed research topic in the future. A further contribution of SeaView was the development of a multilevel SQL (MSQL) database language (Lunt et al., 1988). MSQL is an extension of SQL (Structured Query Language) and includes user commands for operating on multilevel relations. The design includes a preprocessor that accepts multilevel queries and translates the queries into single-level standard SQL queries operating on decomposed single-level fragments.
3.2 Lock Data Views Lock Data Views (LDV) is a multilevel secure relational DBMS, hosted on the Lock TCB and currently prototyped at the Honeywell Secure Computing Technology Center (SCTC) and MITRE. Lock supports a discretionary as well as mandatory security policy. The mandatory policy enforces the simple security property and the restricted *-property of BLP. The authors of LDV have stated that, because of its operating system orientation, the Lock security policy had to be extended for use in LDV (Stachour and Thuraisingham, 1990). One aspect of Lock-type enforcement-is of special interest for the increased functionality of this TCB in LDV.
42
GUNTHER PERNUL
The general concept of type enforcement in Lock and its use in LDV has been discussed by Haigh et ul. (1990). The main idea is that a subject’s access to an object is restricted by the role he or she is performing in the system. This is done by assigning a domain attribute to each subject and a type attribute to each object, both of which are maintained within TCB. Entries in the domain definition table correspond to a domain of a subject and to a type list representing the set of access privileges which this subject possesses within the domain. The type enforcement mechanism of Lock made it possible to encapsulate LDV in a protected subsystem by declaring database objects to be special Lock types (Lock files) accessible only to subjects executing in the DBMS domain. Since only DBMS programs are allowed to execute in this domain, only DBMS processes can access Lock types holding portions of the database. The remaining problem that had to be solved was to enable secure release of data from the DBMS domain to the user domain. Fortunately, Lock supports implementation of assured pipelines that have been used in LDV to transfer data between DBMS and user domains. Assurance is achieved through appropriate trusted import and export filters (hardware and software devices). Two basic extensions to the Lock security policy have been implemented in LDV. Both extensions concern proper classification of data. The first extension relates to insert and update of data. In the course of insert and update, data are assigned to the Lock type which is classified at the lowest level at which the tuple can be stored securely. The second extension is concerned with query results. The result of a query is transferred from Lock types into ordinary objects and the appropriate security level of the query result is derived. The two policies are enforced in LDV by means of three assured pipelines, the queryhesponse pipeline, the datahnput pipeline, and the database definitiodmetadata pipeline. The query/response pipeline is the query processor of LDV. It consists of a set of processes which execute multi-user retrieval requests, integrate data from different Lock types, and output information at an appropriate security level. A user-supplied query is first mapped from the application domain into the DBMS domain, the query is then processed, and the result is labeled, and, finally, exported to the user. To prevent logical inference over time, the response pipeline includes a history function. This mechanism can be used to trace queries already performed for a particular user and to deny access to relations based on the querying history of the user. The duta/input pipeline is responsible for actions that have to be taken whenever a user issues an insert, modify, or delete operation. The request must first be mapped from the application domain to the DBMS domain. The request must then be processed. A delete request will affect only data
DATABASE SECURITY
43
at a single classification level (restricted *-property of BLP). For consistency reasons, data are not actually removed but only labeled as deleted. Before the actual removal takes place certain consistency checks are performed. More complicated is the case in which the request involves an insert operation. Classification rules that may be present in the data dictionary (see discussion of database definitiodmetadata pipeline) may make it necessary to decompose a relation tuple into different subtuples, which are then stored in separated files, each with a different classification. A modify request is implemented in a way similar to the insert operation. The database defiinitiodmetadata pipeline interacts with the LDV data dictionary and is used to create, delete, and maintain metadata. Metadata either correspond to definitions of the database structure (relations, views, attributes, domains) or are classification constraints. Classification constraints are rules that are responsible for assigning proper classification levels to data. The use of the metadata pipeline is restricted to the database administrator or database security officer (DBSSO). Here, again, Locktype enforcement mechanisms are used to isolate metadata in files that can be accessed only by the DBMS domain and the DBSSO domain and not by the application domain. A few final words on the organization of a LDV database. Data are distributed across Lock files and the basic schema is to assign a single set of files to each security level. The data/input pipeline determines the appropriate assignment of data to files through examination of classification constraints stored in the data dictionary. In LDV there is no replication of data across different security levels. The advantage of this approach lies in the simplicity of updates. However, the approach suffers from the disadvantage of a significant performance penalty for retrieval requests due to the need for a recovery algorithm. The recovery algorithm used in LDV is outlined by Stachour and Thuraisingham (1990).
3.3 ASD-Views ASD-Views, implemented on top of an existing DBMS called ASD, is a research project at TRW. ASD is a multilevel relational system offering classification at the tuple level. In 1988 attempts were begun at TRW to extend ASD and to choose views as the objects of mandatory as well as discretionary security. Wilson (1988) discussed the advantages and disadvantages of views as the target of protection within ASD-Views. Among the advantages he stated the following: 0
Views are very flexible and can be used to define access control based on the content of the data.
44 0
0 0
0
GUNTHER PERNUL
The view definition itself documents the criteria used to determine the classification of data. Arithmetic and aggregate functions could be used to define views. Tuple-level classification can be achieved by specifying horizontal views, while attribute-level classification by specifying vertical subsets of relations. Access control lists can be associated with views and can control discretionary access. Thus, the same concept could be used for mandatory and discretionary protection.
However, there are also certain major disadvantages in using views for mandatory protection, two of which are as follows: 0
0
The view definitions may need to be considered within TCB. Viewbased DBMSs tend to be very large, since views are responsible for most of the code of DBMS. Since a small TCB is required for successful evaluation of the correctness of the specifications and the code, including maintenance of views within TCB would represent a tremendous improvement in the verification effort. Not all data are updateable through certain views.
To overcome the disadvantages, Garvey and Wu (1988) included in a near-term design of ASD-Views the claim that each view must include a candidate key of the underlying base relation and, moreover, the near-term design should support only a restricted query language in order to define secure views. ASD-Views was restricted so that, for example, a view definition may describe a subset of data from a single base relation only, while joins, aggregate functions, and arithmetic expressions are not allowed. The authors of ASD-Views argue that these restrictions minimized TCB code considerably. In ASD-Views the restricted views are the security objects and base tables can only be accessed through views. In ASD-Views the creation of a view must be trusted since otherwise a Trojan horse in untrusted code could switch the names of two columns causing data at a higher security level to become visible to a user logged in at a lower level. During database initialization a trusted database administrator creates all the tables and their associated views and assigns a classification level to each view. When a user logs in to ASD-Views a user process is created at the user’s login clearance and discretionary and mandatory access checks on the referenced views can be performed. Because ASD-Views is built on top of ASD, the system may operate in all three different modes of operation of ASD (Hinke et al., 1992). In the first mode of operation, DBMS is a server in a local-area network. In the second mode of operation, the system serves as a back-end DBMS for single-level
DATABASE SECURITY
45
or multilevel host computers. In the final mode of operation, the system serves as a host-resident DBMS within a multilevel host running a multilevel secure operating system.
4.
Conceptual Data Model for Multilevel Security
Designing a database is a complex and time-consuming task, even more so in the case when attention must also be given to the security of the resulting database. Database design, including the design of databases containing sensitive data, is normally done in a process consisting of at least three main design phases (Fugini, 1988). The first phase, conceptual design, produces a high-level, abstract representation of the database application. The second phase, called logical design, translates this representation into specifications that can be implemented using a DBMS. The third phase, or physical design, determines the physical requirements for efficient processing of database operations. Conceptual and logical design can be performed independently of the choice of a particular DBMS, whereas physical design is strongly system dependent. In this section we will develop a conceptual data model for multilevel security. Such a data model is of particular importance to a security administrator who wishes to get a clear understanding of the security semantics of the database application. The model proposed combines wellaccepted technology from the field of semantic data modeling with multilevel security. We will start by identifying the basic requirements of a conceptual data model. The following characteristics of a conceptual database model have been discussed in the literature (see Elmasri and Navathe (1989) or Navathe and Pernul (1 992)): 0
0
0 0
Expressiveness. The data model must be powerful enough to point out common distinctions between different types of data, relationships, and constraints. Moreover, the model must offer a toolset to describe the entire set of application-dependent semantics. Simplicity. The model should be simple enough for a typical user or end user to understand and should, therefore, possess a diagrammatic representation. Minimality. The model should comprise only a small number of basic concepts. Concepts must not be overlapping in meaning. Formality. The concepts of the model should be formally defined and should be correct. Thus, a conceptual schema can be seen as a formal unambiguous abstraction of reality.
46
GUNTHER PERNUL
Semantic data models address these requirements and provide constructs which represent the semantics of the application domain correctly. In the proposed approach to the construction of a semantic data model for security we use Chen’s Entity-Relationship (ER) model with enhancements needed for multilevel security. The decision to choose ER is motivated by the fact that this model is extensively used in many database design methodologies, possesses an effective graphical representation, and is a de facto standard of most tools which support database design. We will not discuss aspects related to data semantics, though we will describe in detail application-dependent security semantics which have to be considered in a conceptual data model for multilevel security. For details on the ER approach and questions related to the conceptual database design the reader is referred to Batini et af. (1992). Compared to the enormous amount of published literature on semantic modeling and the conceptual design of databases, not much work has been done in investigating the security semantics of multilevel secure database applications. Only recently have there been studies aimed at providing tools and assistance to help the designer working on a multilevel database application. The first attempts to use a conceptual model to represent security semantics were those of G. W. Smith (1990a, 1990b). G . W. Smith developed a semantic data model for security (SDMS) based on a conceptual database model and a constraint language. It was a careful and promising first step which has influenced all succeeding approaches. More recent efforts have been attempted as part of the SPEAR project (Wiseman, 1991 and Sell, 1992). SPEAR is a high-level data model that resembles the ER approach. It consists of an informal description of the application domain and of a mathematical specification which employs a formal specification language. Two further related projects are known, both of which attempt to include dynamics, in addition to modeling the static of the application as part of the conceptual modeling process. In Burns (1992) the ER Model was extended to capture limited behavior by including the operations ‘create’, ‘find’, and ‘link’ into the conceptual database representation, whereas in Pernul (1992b) ER was used to model the static part of an MLS application while data-flow diagramming was used to model the behavior of the system. The discussion in the following subsection partly adopts the graphical notation developed in Pernul (1 992b). The proposal made in the present section considerably extends previous work on security semantics. In particular, 0
it carefully defines the major security semantics that have to be expressed in the design of a multilevel application
DATABASE SECURITY
0
0
0
0
47
it outlines a security-constraints language (SCL) to express the corresponding rules in a conceptual model of the application it provides a graphical notion for constraints expressed in the ER model it gives general rules to detect conflicting constraints it suggests implementation of the constraint system in a rule-based system so as to achieve completeness and consistency of the security semantics.
4.1
Concepts of Security Semantics
The notion of security semantics embraces all security-relevant knowledge about the application domain. It is concerned mainly with the secrecy and privacy aspect of information (maintaining confidentiality against risk of disclosure) and with the integrity aspect of information (assuring that data is not corrupted). Within the framework of multilevel security, security semantics consists basically of rules (security constraints) classfying both data and query results. The rules are specified by the database designer and must correctly represent the level of sensitivity of classified data. In considering security semantics, certain concepts deserve special attention as regards the classification constraints: 0
0
0
0
0
Identifier. A property which uniquely identifies an object of the real world is called its key or identifier. In security semantics there is also the notion of a near-key, a property that identifies a particular object not uniquely but most of the time. For example, the SSN of an employee is a key while the property Name is a near-key. Content. The sensitivity of an object of a certain type is usually dependent on its content, i.e., actual data values or associations of data with metadata serve to classify an object. Concealing Existence. In security-critical applications it may be necessary to conceal the very existence of classified data, i.e., it is not sufficient to provide unauthorized users with null values of certain facts. Attribute-Attribute Value. Most data make sense only when combined with metadata. As a result, in referring to a classified property, it is understood that both the property and its value are classified. Nonconflicting Constraint Set. For large applications it may be necessary to express a large set of security constraints at the conceptual database level. Verifying the consistency of specified constraints is one of the more difficult tasks. In the approach we have proposed there is
48
0
GUNTHER PERNUL
a distinction between two types of conflicts. Depending on the type, a conflict may be resolved automatically or may be designer notified, and a suitable resolution strategy then decided upon by the designer. Default Security Level. A set of classification constraints is complete if every piece of data has assigned to it a classification level via the classification constraints. In our approach completeness is enforced by ensuring that every piece of data has a default classification. The security level public cannot be assigned explicitly and instead is used as an initial classification in order to ensure completeness. If there are no further classification rules applicable for certain data, public has the semantic meaning that the data are not classified at all.
In the following discussion we present a taxonomy of security semantics consisting of the most common application-dependent requirements on multilevel security. Each requirement is formally defined, expressed in a security-constraint language (SCL), included explicitly in the notion of the ER model, and explicated by means of an example. We start with the basic concepts. An object type 0 is a semantic real-world concept that is described by certain properties. Using ER terminology, 0 might be an entity type, a specialization type, a generic object, or a relationship type. In security terminology, 0 is the target of protection and might be denoted O(A ...,A,,). A , (i = 1..n) is a characteristic property defined over a domain D i . Each security object must possess an identifying property A ( A C ( A ,...,A , ] ) which distinguishes instances (occurrences) u of 0 (0 = ( a l ,..., u,], ai E 0,) from others. Moving to a multilevel world the major question now is to decide how to assign the properties and occurrences of 0 to the correct security classifications. The process of assigning data items to security classifications is called classifyingand results into the transformation of a security object 0 into a multilevel security object W (0 =+ W ) .The transformation is performed by means of the security constraints. In the following we assume W is a flat table as in the definition of an MLS relation in the Jajodia-Sandhu model introduced in Subsection 2.2.2. Figure 6 contains graphical extensions which have been proposed for the Entity-Relationship model. Though very simple these extensions offer a powerful tool for representing very complex application-dependent security constraints. They are stated in terms of sentivity levels, ranges of sensitivity levels, security dependencies, predicates, and association-, aggregation-, and inference constraints. For the sake of simplicity, we distinguish only four different levels of sensitivity. If a finer granularity is required, the model can easily be extended to capture additional levels. A sensitivity level
DATABASE SECURITY
49
Secrecy Levels Ranges of Secrecy Levels
Association leading to S (NK .. near-key attribute:
Aggregation leading to T5 (N .. constant) Inference leading to Co Security dependency Evaluation of predicate P
I
[rJ.SI
[ Co..TS]
-@-0Y +3-
FIG. 6 . Graphical extensions to ER.
may be assigned to any structural concept of the ER model. If the occurrences of a security object are not uniformly labeled, a valid range of classifcations is indicated by placing corresponding abbreviations next to the concept. In this case the concept itself must show a level that is dominated by all classifications of the instances or properties of the security object. The concept of a security dependency is introduced to indicate the origin of a classification. Predicates are included to express constraints that are dependent on the content of the security objects. Predicates cannot be specified in the diagrammatic representation and are instead expressed by means of the security-constraint language SCL. Other graphical extensions will be discussed when introducing the corresponding classification constraints. The model we are proposing distinguishes between two types of security constraints, application-independent and application-dependent constraints. Application-independent constraints must be valid in every multilevel database, whereas application-dependent constraints are specified by the database designer. By following the proposed methodology the design of a multilevel database application becomes a two-phase activity. In a first design phase the designer specifies the application-dependent security requirements using ER modeling techniques together with SCL. In the
50
GUNTHER PERNUL
second phase the constraints are analyzed, inasmuch as the specified constraints may conflict with other constraints or may violate applicationindependent rules. In the semantic data model for multilevel security we are proposing, the final design step involves checking the constraints for conflicts, resolving conflicting constraints, and applying the nonconflicting constraint set to construct a conceptual representation of the multilevel application. Consistency and conflict management are discussed in Subsection 4.3 in more detail.
4.2 Classification Constraints In the following discussion we present a taxonomy of the most relevant security semantics that have to be expressed in a conceptual data model. These constraints were initially defined by Pernul et al. (1993). Two types of application-dependent classification constraints are distinguished: (a) constraints that classify the characteristic properties of security objects (simple, content-based, complex, and level-based constraints), and (b) constraints that classify retrieval results (association-based, inference, and aggregation constraints). The examples which we will consider focus on the Project-Employee database given in the Introduction. We assume the existence of a single category only and a list SL of four sensitivity levels, denoted SL = (TS,S, CoyU).Note that the default level public is not in SL and, therefore, may not be assigned except for initializing.
4.2.1 Simple Constraints Simple constraints classify certain characteristic properties of the security objects, for example, the characteristic property that employees have a salary (i.e., classifying property Salary) or the fact that employees are assigned to projects.
FIG. 7. Graphical representation of simple constraint.
DATABASE SECURITY
51
Definition. Let X be the set of characteristic properties of security object 0 (XC ( A , ...,A,]). A simple security property S i c is a classification of the form S i c ( O ( X ) )= C, (C E SL), and results in a multilevel object 0" ( A , , C , , ..., A , , C,, TC), where Ci= C for all A iE X , Ciis not changed if Ai e X . SCL predicate. S i c (0,X , C ) , where 0 is the security object under consideration, X the set of characteristic properties to be classified and C the desired security level. Example and graphical representation. The property function of Assignment is regarded as confidential information. S i c (Assignment, (Function), S )
4.2.2 Content-Based Constraints Content-based constraints classify characteristic properties of the security objects based on the evaluation of a predicate defined on specific properties of this object. Definition. Let Ai be a characteristic property of security object 0 with domain Di,P a predicate defined on A i , and X E ( A , , ...,A,). A content-based constraint CbC is a security classification of the form CbC ( o ( x ) , P : A i e a ) =c o r c ~ c ( o ( x ) , P : A ~ B A ~c) =(eEi=,#,<,>,I,z), a E Di, i # j , C E SL). A predicate may be combined with other predicates by means of logical operators. For any instance o of security object O(A, , .. ., A,) for which a predicate evaluates true, a transformation to o(a,,c, , ...,a,, c, , tc) is performed. Classifications are assigned in such a way that ci = C if A iE X , ciotherwise not changed. SCL predicate. CBC (0,X , A , 8, V , C), where 0 is the security object under consideration, X the set of characteristic properties to be classified, A the evaluated characteristic property A i , B the comparison operator, V the comparison value a or characteristic property A j , and C the security level desired. Example and graphical representation. Properties SSN and Name of employees with a salary L 100 are treated as confidential information. CbC (Employee, (SSN, Name), Salary, 'L', 'loo', Co)
52
GUNTHER PERNUL
unctioi ubject alary
Assignment
FIG. 8. Graphical representation of content-based constraint.
4.2.3 Complex Constraints Complex security constraints relate to two different security objects participating in a dependency relationship. They are treated like contentbased constraints with the only difference the fact that the predicate is evaluated on a specific property of the independent security object yielding a classification of the properties of the associated dependent security object. Definition. Let 0, 0’ be two security objects and assume that the existence of an instance o of 0 is dependent on the existence of a corresponding occurrence 0’of 0’,where the k values of the identifying property K ‘ for 0’ are identical to k values of the characteristic properties of o (foreign key). Let P(0’) be a valid predicate (in the sense of the contentbased constraints) defined on 0‘and let X E ( A ,, ...,A,) be an attribute set of 0. A complex security constraint CoC is a security classification of the form CoC ( O ( X ) ,P ( 0 ’ ) )= C (C E SL). For every instance o of security object O(A , ...,A,) for which the predicate evaluates true in the related object 0’ of 0’, a transformation to o(al ,cl , ...,a,, c,, , tc) is performed. Classifications are assigned in such a way that ci = C if Ai E X , otherwise ci is unchanged.
,
SCL predicate. CoC (OD, X , 0, A , 8, V , C ) , where OD is the dependent security object under consideration, X the set of characteristic properties of OD which are to be classified, A the evaluated characteristic property A, of 0’,8 the comparison operator, V the comparison value a or characteristic property Aj of 0’,and C the security level desired.
Example and graphical representation. Individual assignment data (SSN) are regarded as secret information if the assignment refers to a project with Subject = ‘research’. CoC (Assignment, (SSN], Project, Subject, ‘ = ’, ‘Research’, S )
DATABASE SECURITY
53
FIG. 9. Graphical representation of complex constraint.
4.2.4 Level-Based Constraints Level-based security constraints are constraints classifying characteristic properties based on the classification of certain other properties of the same security object. This signifies that for all instances of a security object, the particular characteristic properties are always required to be at the same security level. Definition. Let level (Ai) be a function that returns the classification ciof the value of characteristic property A , in the object o ( a l ,c l , . ..,a,, c, , tc) of a multilevel security object 0".Let X be the set of characteristic properties of 0" such that x E ( A , ,. . . , A , ] . A level-based security constraint LbC is a classification of the form LbC(O(X))= level(Ai) and for every object o ( a , , cl, ..., a,, c,, tc) results in the assignment cj = ci if Aj E X .
SCL predicate. LbC (0,X , A ) , where 0 is the security object under consideration, X the set of characteristic properties to be classified, and A the governing characteristic property. Example and graphical representation. The Property Client of security object Project must always have the same classification as the property Subject of the Project.
LbC (Project, [Client], Subject) While the constraints which we have considered classify characteristic properties of security objects, the following additional constraints classify the retrieval results. This is necessary, since security may require that the sensitivity of the result of a query be different from the classifications of the constituent security objects. By this policy we respond to the logical association, aggregation, and logical inference problems.
54
GUNTHER PERNUL
Project
& FIG. 10. Graphical representation of level-based constraint.
4.2.5 Association-Based Constraints Association-based security constraints restrict against combining the value of certain characteristic properties with the identifying property of the security object in the retrieval result. This permits access to collective data but prevents the user from relating properties to individual instances of the security object. Definition. Let O(A,, ...,A,) be a security object with identifying property K. Let X C [ A ...,A,) ( K n X = [ )) be the set of characteristic properties of 0. An association-based security constraint AbC is a classification of the form AbC(O(K,X ) ) = C (C E SL) and results in the assignment of security level C to the retrieval result of each query that takes X together with the identifying property K.
SCL predicate. AbC (0,X,C ) , where 0 is the security object under consideration, X the set of characteristic properties to be classified when retrieved together with the identifying property, and C the security level.
L
FIG. 11. Graphical representation of association-based constraint.
DATABASE SECURITY
55
Example and graphical representation. The example considers the salary of an individual person as confidential while the value of salaries without information as to which employee gets what salary as unclassified. AbC (Employee, (Salary), Co)
4.2.6 Aggregation Constraints Under certain circumstances a combination of several inst nc of t h : same security object may be regarded as more sensitive than a query result consisting of a single instance only. This phenomenon is known as the aggregation problem. It occurs in cases where the number of instances of a query result exceeds some specified constant value. Definition. Let count(0) be a function that returns the number of instances referenced by a particular query and belonging to security object 0 ( A , , ...,A,,). Let X (X C ( A , , ...,A,)) be the sensitive characteristic properties of 0. An aggregation security constraint AgC is a statement of the form AgC (O,(X,count(0 > n)) = C (C E SL, n E N) and results in a classification C for the retrieval results of a query if count(0) > n, i.e., if the number of instances of 0 referenced by a query accessing properties X exceeds the value n. SCL predicate. AgC (0,X, N , C), where 0 is the security object under consideration, X the set of characteristic properties, N the specified value n, and C the security level of the corresponding queries.
Example and graphical representation. The information as to which employee is assigned to what projects is considered unclassified. However, aggregating all assignments for a certain project and, thereby, inferring
FIG. 12. Graphical representation of aggregation-based constraint.
56
GUNTHER PERNUL
which team (aggregate of assigned employees) is responsible for what project is considered secret. To treat this situation a maximum value of n = 3 should be specified. AgC (Assignment, (Title), '3', S )
4.2.6
Inference Constraints
Inference constraints restrict against the use of unclassified data to infer data which is classified. Inferences can occur because of hidden paths that are not explicitly represented in the conceptual data model of the multilevel application. The hidden paths may also involve knowledge from outside the database application domain. Definition. Let PO be the set of multilevel objects involved in a potential logical inference. Let 0, 0' be two particular objects from PO with corresponding multilevel representation 0 ( A , ,C , , ...,A , , C,, TC) and 0' ( A ; ,Ci, ..., A h , Ch, T C ' ) . Let X S ( A , , ...,A , ) and Y C (A\, ..., A h ] . A logical inference constraint rfC is a statement IfC ( O ( X ) ,O ' ( Y ) )= C and results in the assignment of security level C to the retrieval result of each query that takes Y together with the properties in X . SCL predicate. If C (01,X1, 02, X 2 , C ) , where 0 1 is the first security object involved, X1 the set of characteristic properties of 0 1 that might be used for logical inference, 0 2 the second security object, X 2 the attribute set of 02, and C the security level of the corresponding queries.
Example and graphical representation. As an example consider a situation in which the information as to which employee is assigned to what projects is considered confidential. Consider, further, that on the basis of access to the department which an employee works for and access to the
Fro. 13. Graphical representation of inference constraint.
DATABASE SECURITY
57
subject of a project, users (with certain knowledge from outside the system) may infer which department is responsible for the project, and, thus, can determine which employees are involved. The situation is modeled below. IfC (Employee, IDep], Project, (Subject], Co)
4.3
Consistency and Conflict Management
The classification constraints specified by the designer must be stored in a rule base. For complex applications it might be necessary to express a large set of security constraints at the conceptual database level. Verifying the consistency of the constraints is one of the more difficult design tasks. We propose that an automated tool which dynamically assists the designer in specification and refinement of the security constraints be applied here. The tool must ensure that the consistency of the rule base is satisfied whenever a classification constraint is updated or a new constraint inserted in the rule base. In the proposed conceptual model for multilevel security two types of conflicts are distinguished. The first type is concerned with conflicts among application-dependent and application-independent constraints. Because we are expressing the security semantics in the conceptual schema, application-independent multilevel constraints could be violated. In the proposed system, these conflicts are detected automatically, the conflicts are resolved, and, finally, the designer is notified. However, if an application-dependent security constraint is in conflict with an applicationindependent constraint, the designer does not have a chance to override the changes performed by the tool. The second kind of conflict deals with conflicting application-dependent security constraints. The designer is informed of such conflicts and then decides on the correct classification. As a default strategy, the tool suggests the maximum of the conflicting security levels to guarantee the highest degree of security possible. The following is the set of integrity constraints which the set of classification constraints must satisfy:
[Ill: Multilevel Integrity. Each property must have a security level. This is satisfied, since in initial classifying, all properties are assigned to the default security level. [I2]: Entity Integrity. All properties forming an identifying property must be uniformly classified and must be dominated by all the other classification of the object. The tuple-class must dominate all classifications. A multilevel security object 0" with identifying property K (apparent key) satisfies entity integrity property if for all occurrences
58
GUNTHER PERNUL
o ( q , c1 ,
...,a, ,c, ,tc) of 0"
1. A i , Aj E K * ci = cj 2. Ai E K , Aj 6 K * ci 5 cj 3. tc 2 ci (i = l..n).
[I3]: Foreign-Key Property. The level assigned to a foreign key must dominate the level of the corresponding identifying property. The foreign-key property guarantees that no dangling references between depending objects will occur. Let K be the identifying property in the multilevel security object 0" ( A , , C1, ...,A , , C, , TC) and let it be a foreign key K' in a dependent object 0'"( A ; , C ; , ...,A ; , CL, TC'). The foreign-key property is satisfied if, for any two dependent occurrences o(al ,cl, ...,a,, c, , tc) o f 0" and o'(ai ,c;, ...,a;, c;, t c ' ) of O'", Ai
E K,
A;
E
K' * ci 5 cj'.
[I4]: Near-Key Property. The near-key property is important if an association-based constraint A X (0,X , C ) is specified. In this case C is also propagated to each query that takes a near key instead of the identifying property of 0 together with the attribute set X . [IS]: Level-Based Property. In order to avoid transitive propagation of security levels between specified level-based constraints for any two constraints LbC(0, X , A ) and LbC(0,X ' , A ' ) A 6 X ' and A' 6 X must hold. Additionally, because of entity integrity, a LbC may not be defined on an attribute set including the identifying property. [I61: Multiple-Classification Property. Each value of a characteristic property may have only a single classification. If different security constraints assign more than one level to a particular property value, the conflict the designer must be notified. The designer then decides whether or not t o adopt the default resolution of the strategy.
4.4
Modeling the Example Application
Classifying is performed by stepwise insertion of security constraints into the rule base. Declaring a new constraint is an interactive process between tool and designer whereby each constraint is validated against the integrity constraints. If a conflict is detected which violates an application-independent integrity constraint, the constraint is enforced by propagating the required classification to the characteristic properties involved. If a conflict is due to multiple classification, the designer is told of the conflict and decides whether or not to adopt the default resolution strategy. Let us now apply the classification requirements to the sample design. For the sake of
DATABASE SECURITY
59
convenience, the corresponding rules specified in SCL are given below once again. 1. 2. 3.
S i c (Assignment, (Function], S ) CbC (Employee, (SSN, Name], Salary, ‘>’, ‘loo’, Co) CoC (Assignment, {SSN], Project, Subject, ‘=’, ‘Research’, S ) 4. LbC (Project, (Client], Subject) 5. AbC (Employee, (Salary], Co) 6. AgC (Assignment, [Title), ‘3’, S ) 7a. SIC (Assignment, (SSN, Title), Co) 7b. IfC (Employee, (Dep), Project, [Subject], Co) Classifying starts with the assignment of the default classification level to every characteristic property. Insertion of rule 1 results in the assignment of S to property Function. No conflicts result. Insertion of rule 2 leads to the assignment of the range [@..Co] to properties SSN and Name of Employee. That is, if the predicate evaluates true, Co is assigned to the properties, otherwise the classification remains public (denoted 0). Because of the application-independent integrity constraint, which specifies that the classification of the identifying property must be dominated by all other classifications of an object, the insertion of this CbC causes a violation of entity integrity. As a consequence, the classification range [ @..Co] is automatically propagated to the other properties of the object-type Employee as well. The identifying property of Employee (i.e., SSN) is also a foreign key in Assignment. Because of the foreign-key property, [@..Co] must also be propagated to SSN of Assignment. There, classifying SSN with [ 0. .Co] violates entity integrity, causing, first, propagation of [@..Co]of the property Title (the key must be uniformly classified) and, second, propagation of [ 0. .Co] to the property Date and Function as well (all other classifications must dominate the key). Since property Function is already assigned to S , the first conflict arises and is told to the designer. Let us assume the designer confirms the suggested classification and Function remains classified at S . No further conflicts arise. The complex security constraint specified as rule 3 states that SSN of Assignment is considered at S if an assignment refers to a project with Subject = ‘research’. Insertion of the constraint in the rule base causes a multiple-classification conflict, because [ 0.. Co] is already assigned to SSN of Assignment. Let us assume that the designer accepts the suggested default resolution strategy, so that [ @ . . S ] is assigned to SSN. Since the key must be uniformly classified, this causes a conflict with entity integrity and [ @ . . S ] is propagated to property Title as well. Because of the demand that
60
GUNTHER PERNUL
FIG. 14. State of design following application of constraint 3.
classification of an identifying property must dominate all other classifications of the object, [@..S] is also propagated to Date and Function. . S ] to attribute Function causes a multiple-classification Propagating [ 0. conflict. This is because rule 1 already has assigned a classification S . The designer is notified of the conflict. Let us assume that the designer confirms the suggested default resolution strategy and S remains assigned. Figure 14 shows the state of design after conflict resolution and before insertion of constraint 4. Introducing the level-based constraint specified in rule 4 does not cause any conflicts. Inserting the association-based constraint specified in rule 5 causes a violation of the near-key integrity property. The conflict is resolved by including the near-key integrity property in the constraint. Inserting rule 6 does not cause any conflicts. Rule 7a leads to multiple classification because SSN and Title of Assignment are already classified at [ @ . . S ] . Let us assume that the designer accepts the default conflictresolution strategy [Co..S]. Because of the need to enforce entity integrity this causes propagation of [Co..S] to all the other properties of Assignment as well. In the case of the property Function, a conflict arises because Function is already assigned to S . We again assume that the designer has accepted the suggested resolution strategy. Finally, the inference constraint (rule 7b) which classifies certain query results is included in the conceptual model. Figure 15 gives a graphical representation of the conceptual data model of the sample multilevel application following classification and conflict resolution. An optional implementation of the graphical browser should provide a tracing facility, giving the designer the ability to trace back all the classification steps which have led to certain classifications. The contribution of this section is to develop a semantic data model for multilevel security. The model provides an integrated approach for modeling both the data and the security semantics of a database application. The proposal made in this section extends previous work on semantic modeling of sensitive information by carefully defining the security semantics
DATABASE SECURITY
61
FIG. 15. Conceptual model of the sample database.
considered, providing a constraint language and a graphical notion to express the semantics in a conceptual model, and developing consistency criteria which the set of specified classification constraints must satisfy. The technique can be extended in several directions. In the case of certain database applications, for example, it may also be necessary to model the dynamic aspects of information. A first step in this direction has already been taken by Burns (1992) and Pernul (1992b). The model also has to be completely implemented. So far the implementation is only at the prototype level and covers only the constraints language SCL and conflict management. Implementation of the graphical browser is left for further study. Another important issue to the database community is deciding when to enforce the security constraints represented in the conceptual representation of the database. In general, security constraints may be enforced during database update, during query processing, as well as during database design. If the constraints are handled during database update, they are treated by DMBS like the integrity constraints. If they are enforced during query processing, they may be treated like the derivation rules, that is, employed to assign classifications before data is released from the DBMS domain to the user domain. Finally, if they are handled during the database design phase, they must be properly represented in the database structure and in the metadata. Deciding when to enforce the constraints may depend on the type of constraint being considered. However, it is important to note that enforcing the constraints during query processing or during database update will strongly influence the performance of the database. From this point of view as many constraints as possible should be enforced during the design of the database. The technique proposed in this section serves as a valuable starting point for a logical design stage during which the conceptual representation of the database is transferred into a target data model, for example, the multilevel relational data model.
62
GUNTHER PERNUL
5.
Standardization and Evaluation Efforts
Database security (and computer security in general) is currently subject to intensive national and international standardization and evaluation efforts. The efforts have as their goal the development of metrics for use in evaluating the degree of trust that can be placed in computer products used to process sensitive information. By “degree of trust,” we understand the level of assurance that the security enforcing functions of a system are working properly. The efforts have all been based on the “Orange Book” criteria (TCSEC, 1985) issued by the U.S. National Computing Security Center (NCSC). Since then, the criteria have been used to evaluate products in the U.S. and in many other countries as well. Shortly after its release, the Orange Book was criticized because of its orientation towards confidentiality and secrecy issues and because its main focus was on centralized computer systems and operating systems. As a consequence, NCSC has issued two interpretations of the Orange Book, the “Red Book,” an interpretation for networks, and the “Purple Book” (TDI, 1990), an interpretation for databases. Together with other documents issued by NCSC, the standards are known as the “rainbow series” because of the color of their title pages. Within Europe there have been a number of national initiatives in the development of security evaluation criteria. Recognizing the common interest and similar principles underlying their efforts, four European countries (France, Germany, Netherlands, and the United Kingdom) have cooperated in the development of a single set of harmonized criteria issued by the Commission of the European Communities (ITSEC, 1991). Besides these efforts, criteria sets have also been published in Canada and Sweden. Because of the ongoing internationalization of the computer product market, there is a strong demand on the part of industry for establishing harmonization between TCSEC, ITSEC, and the other proposals. A first step in this direction were the studies performed as part of the US Federal Criteria Project, currently a draft under public review. In the following discussion we will briefly review the basic concepts of the Orange Book and show how they relate to corresponding concepts in ITSEC. TCSEC defines four hierarchically ordered divisions (D, C, B, A) of evaluation classes. Within each of the division may be found one or more hierarchical classes. Figure 16, taken from the Orange Book, contains a detailed representation of this packaging. D-level criteria relate to all systems and products that cannot be evaluated at higher levels of trust. D-level requires no security features. Systems rated at a C-level Support DAC, which includes the support of identification, authentication, and auditing functions. At C1, DAC-based
DATABASE SECURITY
63
C I Cz B , Bz B, A, Discretionary access control Object reuse Labels Label integrity Exportation of labelled information Exportation of multilevel devices Security polic) Exportation of single-level devices Labelling human-readable output Mandatory access controls Subject sensitivity labels Device labels Identificabon and authentication Accountability Audit Trusted paths System architecture System integrity 0 Security testing 0 Design specification and verification 0 Assurance Covert channel analysis Trusted facility management Configuration management Trusted recovery Trusted distribution Security features user’s guide 0 Trusted facility manual Docunientatior Test documentation, 0 Design documentauon I
00 0 0 0 0
0 No additional requirements for this class 0 New or enhanced requirements for this class No requirements for this class
Ftc. 16. Trusted Computer Security Evaluation Criteria summary chart. (NCSC-TCSEC, 1985).
protection must only be provided at a user-group level, while for C 2 , protection at the individual user level is required. Most commercially available general-purpose DBMS products are evaluated at C2. At the B-level criteria, security labels and mandatory access controls are introduced. Enhancing existing DBMSs with add-on security packages may result in evaluation at B, , whereas for B, and above the system must have been designed with security already in mind. At B2 emphasis is on assurance. For this purpose a formal security policy model must be developed, the role of a system administrator and an operator introduced, and security-relevant code separated into a TCB. B, requires an increased level of assurance, achieved by a greater amount of testing and placing great emphasis on auditing. Emphasis at B, is also directed toward minimizing and simplifying TCB code. The A, evaluation class is, in terms of functionality, identical to B,, though it requires formal techniques to exhibit and prove consistency
64
GUNTHER PERNUL
between the specification and the formal security policy. It is not required to prove the source code against the specification and against the formal security policy. The systems discussed in Section 3 were developed with the aim of obtaining evaluation at the A, level, whereas most commercial DBMS systems that support a mandatory security policy have been evaluated at the B, or B, level. A number of deficiencies in TCSEC have been pointed out by several researchers (for example, Neumann, 1992). Besides the fact that distributed systems are not adequately covered (although the Red Book provides some guidelines) it has been noted that The primary focus of TCSEC is on confidentiality. Integrity and availability are not treated adequately. a Authentication considers only passwords. More advanced techniques are not included. 0 TCSEC provides inadequate defence against pest programs (Neumann, 1990). 0 Auditing data (and its real-time analysis) can provide an important aid in protecting against vulnerabilities. This is not considered in the criteria. 0
ITSEC has been developed with some of the deficiencies of TCSEC in mind and is intended as a superset of TCSEC. It defines security as consisting in a combination of confidentiality, integrity, and availability, and distinguishes between two kinds of criteria: a functional criteria of ten hierarchically ordered divisions and a correctness criteria of seven divisions. Both criteria are evaluated separately. The functional criteria are used to evaluate the security enforcing functions of a system. The functional criteria have been developed within the German national criteria project. The first five functionality divisions correspond closely to the functionality classes of TCSEC while the remaining five are intended as examples to demonstrate common requirements for particular types of systems. The correctness criteria represent seven levels of assurance as regards the correctness of the security features. They correspond roughly to the assurance levels of TCSEC and cumulatively require testing, configuration control, access to design specification and source code, vulnerability analysis, and formal and informal verification of the correspondence between specification, security model, and source code. Figure 17 relates the functional and correctness criteria of ITSEC to the corresponding evaluation classes of TCSEC. Although it is commonly agreed that the evaluation criteria are a first step in the right direction, the market for commercial evaluation is still not fully
65
DATABASE SECURITY
-1.c s 1; c
I '1. s IIC runciional corrcclncss
F-C 1 I:-c2
I:-u I F-B2 1:- u 3 IT-U3
I0 I' I
evalualion
* =3
I) CI
t:2 1 3
3 =3
c2 UI
114
=3
B2
IJS
3
II6
=3
I33 /\I
FIG. 17. Correspondence between ITSEC and TCSEC.
developed. The existence of at least seven sets of evaluation criteria from different countries has produced an unwillingness on the part of developers to permit their products to be subjected to an evaluation process. However, it is commonly agreed that efforts at making the different criteria compatible, together with growing number of evaluated products and the increasing number of customers showing a preference for evaluated products, may generate further interest among the public and society at large in database security (and computer security in general) and security evaluation.
6.
Future Directions in Database Security Research
The field of database security has been active for almost twenty years. During early stages of research the focus was directed principally towards the discretionary aspect of database security, i.e., different forms of access control lists and view-based protection issues. Later the focus shifted towards mandatory controls, integrity issues, and security mechanisms fine-tuned to provide privacy. The major current trends are to provide tools that support the designer during the different database design phases that entail securitycritical contents, to develop security semantics and classification constraints, to investigate the use of rules and triggers for various problems related to database security, to extend security issues to other data models, for example, distributed and heterogeneous databases, and to investigate in the course of physical design such questions as transaction and recovery management as well as development of storage structures whose main focus is on the support of security. We now would like to outline what we believe will be the various directions the entire field will follow over the next few years.
66
GUNTHER PERNUL
System architecture of mandatory systems. Most DBMSs supporting MAC are based on the principles of balanced assurance and TCB subsetting. As a result, DBMS is hosted on a TCB which is responsible for identification, user authentication, and mandatory access controls. Multilevel relations are only supported at an external level and the entire database is decomposed into single-level fragments which are stored using the storage manager of a general-purpose DBMS product. We believe this approach has several practical advantages but represents only a near-term solution to database security. What is needed in the near future are data models, storage structures, and transaction and recovery management procedures specially suited for the use in DBMSs with a high degree of trust in their security features. A first step in this direction has already been taken in the case of secure transaction management (for example, Kogan and Jajodia, 1990, or Kang and Keefe, 1992a) and recovery management (Kang and Keefe, 1992b). Formal specification and verification MLS DBMSs. Assurance that the security features of a DBMS are working properly is required for DBMSs that contain databases with security-critical content. This entails a formal specification and verification of the DBMS specifications, the DBMS architecture, the DBMS implementation, as well as the design and implementation of the particular database application. So far, there is not much work on this topic and only very little experience in the use of existing systems and techniques to formally specify and verify databases. A natural next step would be to adopt existing techniques and use them for designing and implementing secure databases. A very good discussion on the pros and cons of formal methods within the framework of safety-critical systems is that of McDermid (1993). Evaluation criteria. It is commonly agreed that the evaluation criteria represent a first step in the right direction. However, since the international field of information technology providers will not be able to evaluate their products against different criteria in different countries, all the various criteria will have to be merged. Mutual recognition of the security certifications and evaluations of different countries is also necessary. Moreover, as technology evolves, the concept of security will have to be extended to an open, heterogeneous, multi-vendor environment. In the future, systems will have to be considered for evaluation that differ from what we are familiar with today. For example, object-oriented systems, knowledge-based systems, active systems, multimedia systems, or hypertext may become candidates for evaluation. To cover future development, criteria must be open-ended and, thereby, address the needs of new information technology environments which have yet to be explored.
DATABASE SECURITY
67
Extending security to nonrelational data models. It is only recently that security has been discussed in the context of nonrelational data models. Preliminary work has begun on the development of security models for object-oriented databases (for multilevel approaches, see Keefe et al., 1989, Jajodia and Kogan, 1990, Thuraisingham, 1992, and Millen and Lunt, 1992; for discretionary models, see Fernandez et al., 1989, Rabitti et al., 1989, and Fernandez et al., 1993); for knowledge-based systems, see Morgenstern, 1987, and Thuraisingham, 1990; for multimedia databases, see Thuraisingham, 1991; and for hypertext, see Merkl and Pernul, 1994). So far, the Personal Knowledge Approach is the only data model that was initially developed with the main goal of meeting security requirements. All the other approaches have adopted existing data models for use in securitycritical environments. It is expected that further research will lead to new data models in which security is among the major design decisions. Research issues in discretionary security. The presence of more advanced data models, for example, the object-oriented data model, has renewed interest in discretionary access controls. Further research issues include explicit negative authorization, group authorization, propagation of authorization, propagation of revocations, authorizations on methods and functions, and the support of roles. Design aids and tool. Future research is necessary for the development of aids and tools to support the designer during the different phases involved in the design of a database with security-critical content. Research is needed in an integrated fashion and must span requirements analysis, conceptual and logical design, security semantics, and integrity rules, as well as prototyping, testing, and benchmarking. Aids, guidelines, and tools are needed for both discretionary and mandatory protected databases. Extending security to distributed and heterogeneous databases. Distribution adds a further dimension to security because distributed systems are vulnerable to a number of additional security attacks, for example, data communication attacks. Even more complicated is the case in which heterogeneous DBMSs are chosen to form a federation. Since the participating component databases continue to operate autonomously and the security mechanisms may differ between the sites, additional security gateways and controls may be necessary. The steps involved in building a secure distributed heterogeneous DBMS are by no means straightforward and some researchers believe that, given the current state of the art of both database security and federated database technology, such a DBMS is not even possible.
68
GUNTHER PERNUL
Security and privacy. Addressing security and privacy themes must remain a future topic of database research. Security and privacy is among the most important topics in medical informatics, for example, in integrated hospital information systems. In numerous medical venues computerized information systems have been introduced with little regard to security and privacy controls. It is a future challenge to database security to cope with the availability, confidentiality, and privacy of computer-based patient records in the near future.
7 . Conclusions In the present essay we have proposed models and techniques which provide a conceptual framework in the effort to counter the possible threats to database security. Emphasis has been given to techniques primarily intended to assure a certain degree of confidentiality, integrity, and availability of the data. Privacy and related legal issues of database security were also discussed, though not as fully. Although our main focus was on the technological issues involved in protecting a database, it should be recognized that database security includes organizational, personnel, and administrative security issues as well. Database security is not an isolated problem-in its broadest sense it is a total system problem. Database security depends not only on the choice of a particular DBMS product or on the support of a certain security model, but also on the operating environment and the people involved. Although not discussed, further database security issues include requirements on the operating system, network security, add-on security packages, data encryption, security in statistical databases, hardware protection, software verification, and others. There is a growing interest in database security and the approaches which we have reported demonstrate the considerable success which has been achieved in developing solutions to the problems involved. Public interest has increased dramatically, though it is only recently that the issue of security outside the research community has begun to receive the attention which its importance warrants. Though database security has been a subject of intensive research for almost two decades it is still one of the major and fascinating research areas. It is expected that changing technology will introduce new vulnerabilities to database security. Together with problems that have yet to be fully solved, the field of database security promises to remain an important area of future research.
DATABASE SECURITY
69
ACKNOWLEDGMENTS I wish to acknowledge the many discussions that 1 have had on the AMAC security technique and on the conceptual modeling of sensitive information with Kamal Karlapalem, Stefan Vieweg, and Werner Winiwarter. In particular, I wish to thank A Min Tjoa and Dieter Merkl for their many fruitful comments.
References Batini, C., Ceri, S., and Navathe, S. B. (1992). “Conceptual Database Design: An EntityRelationship Approach.” BenjaminICummings, Reading, Massachusetts. Bell, D. E. and LaPadula, L. J. (1976). “Secure Computer System: Unified Exposition and Multics Interpretation.” Technical Report MTR-2997. MITRE Corp., Bedford, Massachusetts. Biba, K. J . (1977). “Integrity Considerations for Secure Computer Systems.” ESD-TR-76372, USAF Electronic Systems Division. Biskup, J. (1990). “A General Framework for Database Security.” Proc. European Symp. Research in Computer Security (ESORICS ’90), Toulouse, France. Biskup, J. and Briiggemann, H. H. (1988). The Personal Model of Data: Towards a PrivacyOriented Information System. Computers & Security, 7 , North-Holland (Elsevier). Biskup, J., and Bruggemann, H. H. (1989). The Personal Model of Data: Towards a PrivacyOriented Information System (extended abstract). Proc. 5th Int’l Conf. on Data Engineering (ICDE ’89). IEEE Computer Society Press. Biskup, J . and Bruggemann, H. H. (1991). Das datenschutzorientierte Informationssystem DORIS: Stand der Entwicklung und Ausblick. Proc. 2. GI-Fachtagung “VerlaJliche Informationssysteme (VIS ’91). IFB 271, Springer-Verlag. Burns, R. K. (1992). A Conceptual Model for Multilevel Database Design. Proc. 5th Rome Laboratory Database Workshop, Oct. 1992. Chen, P. P. (1976). The Entity Relationship Model: Towards a Unified View of Data. ACM Trans. Database Systems (TODS), 1(1). Clark, D. D. and Wilson, D. R. (1987). A Comparison of Commercial and Military Computer Security Policies. Proc. 1987 Symp. “Research in Security and Privacy. ” IEEE Computer Society Press. Codd, E. F. (1970). A relational model for large shared data banks. Comm. ACM, 13(6). Cuppens, F. and Yazdanian, K. (1992). A “Natural” Decomposition of Multi-level Relations. Proc. 1992 Symp. Research in Security and Privacy. IEEE Computer Society Press. Denning, D. E. (1988). Database Security. Ann. Rev. Comput. Sci. 3. Denning, D. E., Lunt, T. F., Schell, R. R., Heckman, M., and Shockley, W. R. (1987). A multilevel relational data model. Proc. 1987 Symp. Research in Security and Privacy. IEEE Computer Society Press. Denning, D. E., Lunt, T. F., Schell, R. R., Shockley, W. R., and Heckman, M. (1988). The SeaView Security Model. Proc. 1988 Symp. Research in Security and Privacy. IEEE Computer Society Press. Elmasri, R. and Navathe, S. B. (1989). “Fundamentals of Database Systems.” Benjamin/ Cummings, Reading, Massachusetts. Fernandez, E. B., Summers, R. C., and Wood, C. (1981). “Database Security and Integrity.” (System Programing Series) Addison-Wesley , Reading, Massachusetts.
70
GUNTHER PERNUL
Fernandez, E. B., Gudes, E., and Song, H. (1989). A Security Model for Object-Oriented Databases. Proc. 1989 Symp. Research in Security and Privacy. IEEE Computer Society Press. Fernandez, E. B., Guides, E., and Song, H. (1993). AModel for Evaluation and Administration of Security in Object-Oriented Databases. IEEE Trans. Knowledge and Data Engineering (forthcoming). Fugini, M. G. (1988). Secure Database Development Methodologies. I n “Database Security: Status and Prospects,” C. Landwehr, ed. North-Holland (Elsevier). Garvey, C. and Wu A. (1988). ASD-Views. Proc. 1988 Symp. Research in Security and Privacy. IEEE Computer Society Press. Graham, G. S. and Denning, P. J. (1972). Protection Principles and Practices. Proc. AFIPS Spring Joint Computer Conference. Griffiths, P. P. and Wade, B. W. (1976). An authorization mechanism for a relational database system. ACM Trans. Database Systems (TODS) l(3). Haigh, J. T., O’Brien, R. C., Stachour, P. D., and Toups, D. L. (1990). The LDV Approach to Database Security “Database Security 111: Status and Prospects,” D. L. Spooner and C. Ladwehr, eds. North Holland (Elsevier). Harrison, M. A., Ruzo, W. L., and Ullman, J. D. (1976). Protection in operating systems. Comm. ACM 19(8). Hinke, T. H., Garvey, C., and Wu A. (1992). A1 Secure DBMS Architecture. I n “Research Directions in Database Security,” T. F. Lund, ed. Springer-Verlag. ITSEC (1991). Information Technology Security Evaluation Criteria (ITSEC). Provisional Harmonized Criteria, COM(90) 314. Commission of the European Communities. Jajodia, S. and Kogan, B. (1990). Integrating an Object-Oriented Data Model with Multilevel Security. Proc. 1990 Symp. Research in Security and Privacy. IEEE Computer Society Press. Jajodia, S. and Sandhu, R. (1990a). Database Security: Current Status and Key Issues. ACM SIGMOD Record 19(4). Jajodia, S . and Sandhu, R. (1990b). Polyinstantiation Integrity in Multilevel Relations. Proc. 1990 Symp. Research in Security and Privacy. IEEE Computer Society Press. Jajodia, S., Sandhu, R., and Sibley, E. (1990). Update Semantics of Multilevel Secure Relations. Proc. 6th Ann. Comp. Security Application Conf. (ACSAC ’90). IEEE Computer Society Press. Jajodia, S. and Sandhu, R. (1991a). Toward a multilevel secure relational data model. Proc. ACM SIGMOD Conf. Denver, Colorado. Jajodia, S. and Sandhu, R. (1991b). A Novel Decomposition of Multilevel Relations into Single-Level Relations. Proc. 1991 Symp. Research in Security and Privacy. IEEE Computer Society Press. Jajodia, S. and Mukkamala, R. (1991). Effects of the SeaView decomposition of multilevel relations on database performance. Proc. 5th IFIP WG 11.3 Conf. Database Security. Stepherdstown, West Virginia. Kang, 1. E. and Keefe, T. F. (1992a). On Transaction Processing for Multilevel Secure Replicated Databases. Proc. European Symp. Research in Computer Security (ESORICS ’92). LNCS 648, Springer-Verlag. Kang, 1. E. and Keefe, T. F. (1992b). Recovery Management for Multilevel Secure Database Systems. Proc. 6th IFIP WG 11.3 Conf, on Database Security. Vancouver, British Columbia. Keefe, T. F., Tsai, W. T., and Thuraisingham, M. B. (1989). Soda-A secure Object-Oriented Database System. Computers & Security B(5). North-Holland (Elsevier). Kogan, B. and Jajodia, S. (1990). Concurrency Control in Multilevel Secure Databases using the Replicated Architecture. Proc. ACM SIGMOD Conf. Portland, Oregon.
DATABASE SECURITY
71
Lampson, B. W. (1971). Protection. Proc. 5th Princeton Conf. Information and Systems Sciences. Lampson, B. W. (1973). A Note on the Confinement Problem. Comm. ACM 16(10). Landwehr, C. E. (1981). Formal Models of Computer Security. ACM Cornp. Surveys 13(3). Lunt, T. F., Schell, R. R., Shockley, W. R., and Warren, D. (1988). Toward a multilevel relational data language. Proc. 4th Ann. Comp. Security Application Conf. (ACSAC ’88). IEEE Computer Society Press. Lunt, T. F., Denning, D. E., Schell, R. R., Heckman, M., and Shockley, W. R. (1990). The SeaView Security Model. IEEE Trans. Software Engineering (ToSE) 16(6). Lunt, T. F. and Fernandez, E. B. (1990). Database Security. ACM SIGMOD Record 19(4). McDermid, J. A. (1993). Formal Methods: Use and Relevance for the Development of Safety-critical Systems. I n “Safety Aspects of Computer Control,” P. Bennett, ed. Butterworth-Heinemann. Merkl, D. and Pernul G. (1994). Security for Next Generation of Hypertext Systems. Hypermedia 6(1) (forthcoming). Taylor Graham. Millen, J . K. (1989). Models of Multilevel Computer Security. Advances in Computers 29 (M. C. Yovitis, ed.). Academic. Millen, J. K. and Lunt, T. F. (1992). Security for Object-Oriented Database Systems. Proc. 1992 Syrnp. Research in Security and Privacy. IEEE Computer Society Press. Morgenstern, M. (1987). Security and Inference in Multilevel Database and Knowledge-based Systems. proc. ACM SIGMOD Conf. San Francisco, California. Navathe, S. B. and Pernul, G. (1992). Conceptual and Logical Design of Relational Databases. Advances in Computers 35 (M. C. Yovitis, ed.). Academic Press. Neumann, P. G. (1990). Rainbow and Arrows: How the Security Criteria Address Computer Misuse. Proc. 13th National Computer Security Conference. IEEE Computer Society Press. Neumann, P. G. (1992). Trusted Systems. In “Computer Security Reference Book,” K. M. Jackson and J. Hruska, eds. Butterworth-Heinemann. Pernul, G. and Tjoa, A. M. (1991). A View Integration Approach for the Design of Multilevel Secure Databases. Proc. 10th Int’l Conf. Entity-Relationship Approach (ER ’91). San Mateo, California. Pernul, G. and Luef, G. (1991). A Multilevel Secure Relational Data Model Based on Views. Proc. 7th Ann. Cornp. Security Applications Conf. (ACSAC ’91). IEEE Computer Society Press. Pernul, G. (1992a). Security Constraint Processing in Multilevel Secure AMAC Schemata. Proc, European Symp. Research in Computer Security (ESORICS ’92). LNCS 648, Springer-Verlag. Pernul, G. (1992b). Security Constraint Processing During MLS Database Design. Proc. 8th Ann. Comp. Security Applications Conf. (ACSAC ’92). IEEE Computer Society Press. Pernul, G. and Luef, G. (1992). A Bibliography on Database Security. ACMSIGMOD Record 21(1).
Pernul, G . and Tjoa, A. M. (1992). Security Policies for Databases. Proc. IFACSyrnp. Safety and Security of Computer Systems (SAFECOMP ’92). Pergamon Press. Pernul, G., Winiwarter, W., and Tjoa, A. M. (1993). The Entity-Relationship Model for Multilevel Security. Institut fur Angewandte Informatik und Informationssysteme. Universitat Wien. Rabitti, F., Bertino, E., Kim, W., and Woelk, D. (1991). A Model of Authorization for Nextgeneration Database Systems. ACM Trans. Database Systems (TODS) 16(1). Rochlis, J. A. and Eichin, M. W. (1989). With Microscope and Tweezers: The Worm from MIT’s Perspective. Comm. ACM 32(6).
72
GUNTHER PERNUL
Schell, R. R., Tao, T. F.,and Heckman, M. (1985). Designing the Gemsos Security Kernel for Security and Performance. Proc. 8th Nat’l. Computer Security Conference. IEEE Computer Society Press. Sell, P. J. (1992). The SPEAR Data Design Method. Proc. 6th IFIP WG 11.3 Conf. Database Security. Burnaby, British Columbia. Smith, G. W. (1990a). The Semantic Data Model for Security: Representing the Security Semantics of an Application. Proc. 6th Int’l Conf. Data Engineering (ICDE ’90). IEEE Computer Society Press. Smith, G. W. (1990b). Modeling Security Relevant Data Semantics. Proc. 1990 Symp. Research in Security and Privacy. IEEE Computer Society Press. Smith, K., and Winslett, M. (1992). Entity Modeling in the MLS Relational Model. Proc. 18th Conf. Very Large Databases (VLDB ’92). Stachour. P. D. and Thuraisingham, B. (1990). Design of LDV: A Multilevel Secure Relational Database Management System. IEEE Trans. KDE 2(2). Stoll. C. (1988). Stalking the Wily Hacker. Comm. ACM 31(5). Stonebraker, M. and Rubinstein, P. (1976). The Ingres Protection System. Proc. 1976 ACM Annual Conference. TCSEC (1985). Trusted Computer System Evaluation Criteria. (Orange Book). National Computer Security Center, DOD 5200.28-STD. TDI (1990). Trusted Database Interpretation of the Trusted Computer System Evaluation Criteria. NCSC-TG-021. Version 1. Thompson, K. (1984). Reflections on Trusting Trust. Comm. ACM 27(8). (Also in ACM Turing Award Lectures: The First Twenty years 1965-1985. ACM Press.) Thomsen, D. J. and Haigh, J. T. (1990). A Comparison of Type Enforcement and Unix Setuid Implementation of Well-Formed Transactions. Proc. 6th Ann. Comp. Security Applications Conf. (ACSAC ’90). IEEE Computer Society Press. Thuraisingham, M. B. (1990). Towards the design of a secure data/knowledge base management system. Data & Knowledge Engineering 5(1), North-Holland (Elsevier). Thuraisingham, M. B. (1991). Multilevel Security for Multimedia Database Systems. I n “Database Security: Status and Prospects IV,” S. Jajodia and C. E. Landwehr, eds. North-Holland (Elsevier). Thuraisingham, M. B. (1992). Multilevel Secure Object-Oriented Data Model-Issues on noncomposite objects, composite objects, and versioning. JOOP, SIGS Publications. Wilson, J. (1988). A Security Policy for an A l DBMS (a Trusted Subject). Proc. 1988 Symp. Research in Security and Privacy. IEEE Computer Society Press. Wiseman, S. (1991). Abstract and Concrete Models for Secure Database Applications. Proc. 5th IFIP WG 11.3 Conf. Database Security. Stepherdstown, West Virginia.
Functional Representation and Causal Processes B. CHANDRASEKARAN Laboratory for A1 Research The Ohio Stare University Columbus. Ohio
1 . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. Human Reasoning about the Physical World . . . . . . . . . . . . . . . . 2.1 Human Qualitative Reasoning . . . . . . . . . . . . . . . . . . . . . 2.2 Modeling and Prediction . . . . . . . . . . . . . . . . . . . . . . . 3 . Historical Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Need for “Models” in Diagnostic Reasoning . . . . . . . . . . . . . . 3.2 Causal Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Qualitative Device Models . . . . . . . . . . . . . . . . . . . . . . 4 . Functional Representation . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Informal Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Components of FR . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Remarks on FR . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Applications of FR . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Generating FRs for New Devices . . . . . . . . . . . . . . . . . . . 4.6 Generalization to Nondynamic Causal Structures . . . . . . . . . . . . 5 . Relatedwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 A Research Agenda . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Logic of Understanding . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Rich Variety of Reasoning Phenomena . . . . . . . . . . . . . . . . . Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
73 76 76 77 80 80 81 82 84 85 89 99 102 127 129 131 133 133 137 137 138 138
1. Introduction Cognitive agents that are organized to achieve goals in the world have three fundamental activities to perform. as illustrated in Fig . 1.
.
Making sense of the world Using sensors and other information (including knowledge in memory). the agents have to form a theory of the world. about what is out there and how it works . This task has a number of different subtasks: sensory processing. forming a perception at the right ADVANCES
IN COMPUTERS. VOL . 38
73
Copyright 0 1994 by Academic Press. Inc. All righls of reproduction in any form reserved.
ISBN 0-12-012138-7
74
6.CHANDRASEKARAN
y F :s o ;a s i
aking sense of the
”
Predict consequences of hypothetical actions
FIG. 1. Some subtasks for a cognitive agent.
level of abstraction that relates to the goals, and constructing an explanation of what is going on in the world. In this paper we are concerned with the form such explanations often take. Specifically, we propose that such explanations often take the form of a certain type of causal story, and the elements in the story are linked together following specific rules of composition. Planning actions to achieve goals. The agent has to embark on actions on the world in order to achieve goals. One technique that is commonly employed is for the agent to synthesize a plan, a sequence of intended actions. Knowledge about the state and causal properties of the world is needed to generate the plans. In particular, causal stories can be inverted to reason from desired states to the actions that are likely to produce them. Predicting consequences. A common subtask in planning is to predict the consequences of proposed actions in order to check that desired consequences arise and undesired consequences do not. A common subtask of “making sense of the world” is to evalute hypotheses about states of the world by predicting the consequences of that state and checking to see if the consequences are indeed true in the world. If the predicted consequences are true, the particular hypothesis of the state of the world is given a higher plausibility. Thus prediction is an important and ubiquitous cognitive activity. Causal models play a role in prediction as well. Forming causal models of the world and using them for prediction, planning, and the formation of additional causal models are thus important activities of cognitive agents. The major goal of this paper is to review a theory about what form such causal models take and how they can be used for various problem-solving purposes. An important underlying idea is that
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
75
causal understanding of the world doesn’t come simply in the form of “facts” about the world-i.e., as proportions or causal rules-but in the form of causal packages that are organized from specific perspectives and point to other causal packages. The work we shall be reviewing is based on the idea that these packages are basic units of comprehension and prediction. The functional representation (FR) theory is a proposal about the logical structure, representation, and use of such causal packages. This article brings together work that has been developed and published in the last decade by a number of researchers. The study of causality has many dimensions, and also has an illustrious history in philosophy. It is important to be clear about what aspects of the construction of causal models are relevant to our purposes here. One major stream of philosophical work on causality grapples with the semantics of the term “cause,” i.e., exactly what it means to say “A causes B,” or, equivalently, the necessary and sufficient conditions on A and B for us to assert that “A causes B.” There continue to be different points of view on this issue, but this is not something we will be concerned with in this paper. A second stream takes one or another meaning of causality as given, and seeks to give computational formalisms for deciding if A causes B. In AI, Pearl and Verma (1991), for example, have adopted a probabilistic interpretation of causality, and they then go on to propose a Bayesian technique for computing the likelihood that A causes B. Our work is not concerned with formalizing the semantics of “cause.” We take “cause” as a primitive. Our representations already start with some knowledge of causes, and we strive to build other causal relations from this. Nor is our work concerned with quantification of the probabilities of causation. For now we take our causation to be deterministic. The research reported here has the goal of elaborating a theory of representation of causal processes and using the representational framework for problem solving of various sorts. What is the connection between functions of devices and causal processes? So far I have been talking only about causal packages, without any mention of function. In the domain of devices, causal representation and reasoning serve several purposes. In design, the goal is to organize components in such a way that the causal processes which result cause the intended function to be achieved. In diagnosis, the causal process is analyzed to see why the intended function is not being achieved. Thus, understanding how to represent causal processes in general is a prerequisite for reasoning about the functions of devices. In reasoning about device functions, we use the same techniques as reasoning about causal processes in the world in general, but now there are specific constraints on what kinds of effects are desired, are intended, or are to be avoided.
76
B. CHANDRASEKARAN
2.
Human Reasoning about the Physical World
The research on device understanding and reasoning about causal processes is, for me, part of a larger agenda of creating a technology based on the same sources of power that the human agent taps into when reasoning about the world. I would like to make a brief detour describing a broader framework for thinking about human reasoning about the physical world, and along the way point to the role played by causal process packages in this framework. Those interested only in the technical aspects of functional representation can skip this section and go right to Section 3.
2.1
Human Qualitative Reasoning
Let us compare a trained physicist and an unschooled man-on-the-street. The physicist has a specialized vocabulary and a number of mathematical modeling and analytical techniques. The physicist might deploy his or her scientific knowledge and perspective selectively, either to reason about specialized domains or when precise answers to certain questions are needed. The special vocabulary and techniques of the physicist notwithstanding, there is a substantial overlap in the ways the physicist and the common man reason in everyday situations. They share an ontology and general-purpose reasoning strategies that arise from the properties of the shared cognitive architecture. Knowledge needed for reasoning about the world comes in many types: 1. A commonsense ontology’ that predates and is, in fact, used by modern science: consisting in space, time, flow, physical objects, cause, state, perceptual primitives such as shapes, and so on. The terms in this ontology are experientially and logically so fundamental that scientific theories are built on the infrastructure of this ontology. Early work in qualitative physics (QP) had as a main goal elaboration of such an ontology (Hayes, 1979, and Forbus, 1984 are examples). Even today, a good deal of QP research grapples with the development of ontologies for different parts of commonsense physical knowledge. 2. The scientific ontology is built on the commonsense ontology (and often gives specific technical meanings to some of the terms in it, such as “force”). Additional concepts and terms are constructed. Some of these are quite outside commonsense experience (examples are “voltage,” “current,” and “charm of quarks”).
’
Ontology is a term used in A1 to refer to the terms in a representation language. The language is said to be committed to the existence of those types of entities. Ontology in philosophy is the study of what kinds of things exist.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
77
3 . Compiled causal knowledge is knowledge of causal expectations that people compile partly from direct experience and partly by caching some results from earlier problem solving. Which causal expectations get stored and used is largely determined by the relevance of the causes and effects to the goals of the problem solver. There is a more organized form of causal knowledge that we build up as well: models of causalprocesses. By process model I mean a description in terms of temporally evolving state transitions, where the state descriptions are couched in the terms of the commonsense and scientific ontologies. For example, we have commonsense causal processes such as “boiling,” or specialized ones such as “voltage amplification,” “the business cycle,” and so on. These are goal-dependent process descriptions, one in which the qualitative states that participate in the description have been chosen based on abstractions relevant to the agent’s goals. In particular, such descriptions are couched in terms of possible intervention options on the world to affect the causal process, or observation options to detect the process. The work on functional representations that I describe in this paper develops terms to represent these causal process descriptions. When the process model is based on prescientific or unscientific views, we are dealing with naive process models (such as models of the Sun rotating around the Earth, or of exorcism of evil spirits). Many prescientific process models are not only quite adequate, but are actually simpler and more computationally efficient than the scientific ones for everyday purposes. Some sciences, such as geology and biology, often present their causal theories in the form of such process descriptions (e.g., how mountains are formed, how the infection-fighting mechanism works). These process descriptions are great organizing aids as we will discuss in the paper: they focus the direction of prediction, help in the identification of structures to realize desired functions in design, and suggest actions to enable or abort the process. 4. Mathematical equations embodying scientific laws and expressing relations between state variables. These equations themselves are acausal, and any causal direction is given by additional knowledge concerning which variables are exogenous.
2.2
Modeling and Prediction
The framework should provide support for the three components of reasoning about the physical world: modeling, prediction, and control of reasoning. In what follows, we discuss modeling and prediction. Control of reasoning is rather tangential to the main issues of concern here. The interested reader can refer to the section on control of reasoning in Chandrasekaran (1992).
78
B. CHANDRASEKARAN
2.2.1 Modeling All modeling is done in the context of the goals to be accomplished, i.e., states to be achieved or avoided in the world. Causal process knowledge plays an essential role in identifying aspects of the physical situation and the perspectives that need to be represented. The process models can be used to identify states that should be represented and reasoned about. The heart of the modeling problem is to come up with tractable representations in a goal-dependent way. The aggregation levels (when dealing with populations) (Weld, 1986), the abstractions, the approximations, and the concepts in the representation are all jointly determined by the physical situation, the goals, and the rich storehouse of causal process knowledge that expert reasoners possess.
2 . 2 . 2 Prediction The power of experts in prediction comes not from wholesale formalization of the problem in terms of physics and subsequent qualitative or other type of simulation (which is how much of current Q P work tends to present the problem), but by the use of a substantial body of compiled causal knowledge in the form of causal process descriptions that are used to hypothesize states of potential interest. Further, the state variables participating in causal relations may not all be continuous, and hence, even in principle, not all problems of prediction can be formulated in terms of the analysis of dynamic systems, as suggested by Sacks and Doyle (1992) in the critique of QP work. For example, a substantial part of our causal knowledge is about nominal variables (“vacations relax people,” “lack of support causes objects to fall”). Simon (1991) describes a causal ordering scheme that works with such variables, but, as a rule, the most well-known qualitative reasoning models and the dynamic system analysis techniques work only with state variables that happen to be continuous. Humans in their everyday life rarely predict behavior in the physical world by generating a long series of causal chains. Qualitative reasoning about the world proliferates ambiguities too rapidly. If you ask someone what will happen if I throw a ball at a wall, that person is likely to start off with the ball bouncing off the wall, move on to it dropping on the ground, and end with, “it will probably bounce a few more times on the floor and pretty soon will roll off.” Very little of this sequence of predictions is the result of application of scientific laws of motion. Rather, a short series of causal sequences are constructed from compiled causal knowledge, instantiated to the specific physical situation. Two important sources of power that are available for human experts in generating successor states and handling ambiguities are discussed next.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
79
Compilation of Potentially Interesting Consequences. If we ask someone, “what will happen if I throw a rock at the window?” that person is likely to say, “the window might break.” This answer is generally not a result of any kind of “simulation” of the mechanism of the glass under impact. A number of such causal fragments, compiled from experience or from earlier problem-solving episodes, are stored as part of our causal knowledge about domains of interest. An important aspect of such compilation is that the causal knowledge is, as a rule, no longer in the form of assertions of the form “A will cause B” but rather of the form “A might cause B.” Only causal paths that lead to interesting consequences (i.e., those that are likely to have an impact on various goals of agents) are stored, but this, in turn, introduces uncertainty in the causal relation. This ambiguity is OK, since the goal of qualitative prediction is typically not accuracy or certainty, but identification of an interesting possibility that may be investigated more thoroughly if needed. Handling Ambiguity. Ambiguities in causal simulation are often handled not on the basis of what effect will happen, but on what might happen that may help or hurt the goals of the problem solver. Thus, when there is more than one successor state in simulation, the state that is related to the goals of interest is chosen for further expansion. In the example of the window, suppose a person was standing on one side of the window, while you, standing on the other side, saw someone about to throw a rock at the window. You would most likely attempt either to stop the rock throwing or alert the person on the other side. You would not be paralyzed with the ambiguities in prediction: the rock may not really hit the window, the window may not shatter, the rock may miss the person, the rock or glass fragments may not draw blood, and so on. Prediction of behavior in the physical world always takes place in the context of such background goals. The existence of these goals makes up for the fact that we rarely have enough information to be more than qualitative in our reasoning.2 Lest one should think that this is only a phenomenon of interest in the commonsense world, it should be stressed that engineering reasoning is full of such goaldriven ambiguity handling. For example, in design analysis, one might use
* There is another technique for reducing the ambiguity endemic in qualitative prediction which is worth mentioning for completeness, though it is not really relevant to the main topic of this paper. When in doubt about consequences, small and, possibly, retractable changes can be made to the physical world, and the consequences directly noted. This information reduces ambiguity about the future behavior. In robotic motion tasks, such interaction-driven ambiguity resolution can be helpful. There is often no reason to make a complete and ambiguity-ladenprediction of a physical situation. Using the real world as a computational aid in this way (Chapman, 1990) helps to avoid long chains of reasoning based on complex symbolic reasoning models.
80
8 . CHANDRASEKARAN
this form of ambiguity handling to identify the possibility that a component will make its way into a dangerous state. Of course, once this possibility is identified, quantitative or other normative methods can be used in a selective way to verify the hypothesis. Scientific first principles are embedded in process descriptions (in the form of explanations of causal transitions) in such a way that these principles can be formally used as needed for detailed calculation. In engineering and scientific prediction problems, these techniques of ambiguity reduction are not always sufficient. Whenever reasoning about consequences reaches a point where relatively precise answers are needed for choices to be made, the situation can be selectively modeled and analytical methods of varying degrees of complexity and precision can be employed. The models that are formed reflect the problem-solving goal that is current, and typically represent only a small slice of the physical system. Mathematical techniques of various kinds, including dynamic system analysis techniques recommended in Sacks and Doyle (1992), will clearly form a part of this arsenal of analytical techniques.
3. Historical Background 3.1
Need for ”Models” in Diagnostic Reasoning
A brief historical background to the development of this body of ideas on the representation of functions and causal processes might help motivate the ideas. In 1983, one of my main interests in problem solving was diagnostic reasoning. At that time, a discussion was getting started on so-called “deep” versus “shallow” representation of knowledge for diagnosis. Rules were said to be shallow because they were-it was claimed-just associations between symptoms and malfunctions (as in Mycin), without any indication of how the latter caused the former. It was proposed that, in contrast, there were so-called deep representations that provided a basis for explaining the associations. When diagnostic knowledge, i.e., knowledge that related the malfunction categories and symptoms, was incomplete or missing, it was proposed that these deep representations, also called r n ode l ~,might ~ be invoked and the missing knowledge generated. (Chandrasekaran and Mittal, 1983, give an early presentation of these ideas, and Bylander, 1990, and Chandrasekaran, This term is a bit of a misnomer. Any collection of knowledge about some domain, whether it be associational rules or something else, is in fact a model of the domain. When people use the word “model” in this area, they intend a particular type of model that I have elsewhere (Chandrasekaran, 1991) characterized as a “structure-behavior-function” model.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
81
1991, present up-to-date analysis of the issues involved.) Model-based reasoning became a big subarea of research in A1 over the last decade, precisely in response to the perceived need for a representation that was not just restricted to a narrow range of tasks. Models were intended to be a description of how the device worked. I review two streams of work in representing models of devices (or physiological systems, since many of the ideas arose in the context of medical diagnosis).
3.2 Causal Nets The work by Weiss et al. (1978) is representative of this stream. (The belief nets of Pearl, 1986, are not meant explicitly as device models, but could be used to represent the causal relations underlying the device.) In causal nets, a device’s workings are represented as a network of causal relations between the variables describing the system. An effect could be the result of more than one cause, and a cause could result in more than one effect. One could introduce numerical weights in the links between nodes to represent some notion of the likelihood of the effect given the cause. There are a number of technical issues in such a representation that are not important for my current purpose, but I want to draw attention to two related aspects of such networks. The theories do not propose explicit criteria for the levels of abstraction that should be used for the variables, or for organizing the causal network. In this approach, these two decisions are left as part of the modeling problem, and are thus deemed to be domain-specific issues. Let me illustrate the point by a simple example. A network in the domain of medicine may have two causal links entering a node labeled “headache”:
high blood-pressure at blood vessels at the temple 4 headache (Link 1) infectious diseases of certain kinds
+
headache (Link 2).
Note that both are true causal relations, but do not represent different causal mechanisms. In the former, a causal explanation at the level of a physiological mechanism is offered, while in the latter a disease-level explanation is represented. One of the ways in which diseases of a certain kind might cause headache is, in fact, by activating processes that increase the blood pressure level at the temples. The two relations are best thought of as existing at different levels of abstraction and indexed by different goals. The relation involving infectious diseases is probably most usefully indexed by the goal of “diagnosis.” The relation involving the pressure level at the temple might not be activated at all during diagnosis. On the other hand, for research on drug mechanisms, knowledge in Link 1 might
82
B. CHANDRASEKARAN
be directly relevant and, hence, should be activated. The FR theory in this paper uses causal networks, but provides task-specific criteria for abstraction levels for the variables and organization of causal knowledge.
3.3 Qualitative Device Models Another stream of ideas on representing models is the work of de Kleer (de Kleer, 1985; de Kleer and Brown, 1984) and others in that school. Devices (or physical systems) are modeled as having components connected in specific ways. The components are specified as satisfying certain input-output relations. A description of the device in terms of its components and their relations is called the structure of the device. The device can be simulated, i.e., the values of all the variables could be derived using knowledge about the components’ input-output properties and about the component interconnections. Such a description is termed the behavior of the device. Contrastingly, Forbus (1984) introduced the idea that the way to model phenomena is as a set of processes. A physical situation is described in terms of processes at work in some domain of interest and their interaction. This is the structural representation. Behavior is generated by working out the consequences of interacting processes. The process and the component perspectives are seen within the qualitative reasoning community as compatible alternatives: some physical situations are best modeled as components interacting, others as processes interacting, while yet others as perhaps having both components and processes. I think, however, that it is best to take the process view as the basic one and think of a component view as a special case. Component input-output relations become a specific type of process and the physical connections between components a specific type of process interaction. Kuipers’ (1986) representation of structure is much simpler than the previous two: It is simply a list of state variables and a description of how a change in the value of a state variable affects other state variable values. The three representations, i.e., the componential, process, and state variable relations, are related. One could take the set of all input and output variables of the components in the de Kleer representation as the state variables of Kuipers and use the input-output component descriptions to generate a description of how certain state variable values change as a function of changes in the values of the other state variables. Representationally, all the above approaches describe the world as a set of state variables and the underlying causal process as a set of relations between changes in the state variables. This is, of course, the standard ontology of physics and system engineering. In the de Kleer picture, the
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
a3
state variables belong to the components, the component descriptions give the causal relations between variables, and the component connections describe how the changes propagate. In the Forbus picture, the state variables belong to the processes that also describe the causal relations between changes in the variables. In the Kuipers picture, the state variables and their relations are simply described, without a particular theory of whether the variables arise from components or processes. A1 researchers in qualitative reasoning proposed an additional set of ideas about simulation, specifically qualitative simulation. In their view, human intelligence is characterized by the fact that such structural models are qualitative, i.e., causal relations are described only in terms of ranges of values rather than actual values. Instead of giving the exact description of how a change in variable x causes a change in variable y , the causal relation is given only as “If x increases, y decreases,” or some similar type of trend description. de Kleer and Kuipers propose techniques for generating behavior using such qualitative relations exclusively. These approaches are well-documented (e.g., Forbus, 1988), and there is no need to review them in detail here. We will argue that goal-directed allocation of reasoning resources is a more useful characterization of human intelligence than reasoning in terms of qualitative ranges of values. Another A1 technique for reasoning about the world is consolidation (Bylander, 1988). This work is based on the observation that often, for predicting behavior, the structure of a device is simplified in certain systematic ways. Such a simplification can help avoid component-bycomponent simulation. For example, given two resistors in series we simplify that into one resistor. Especially in electrical devices and, to some extent, in electromechanical devices, such repeated application of structural grouping operations results in greatly simplified descriptions that make simulation either much easier or even unnecessary. In circuits, for example, we can simplify the resistance by repeated application of formulae for series and parallel resistors, and just write down formulae for all the currents. Any qualitative analysis can then be applied to this equation. In these approaches the behavior of the device is composed from the behavioral description of the components, processes, or state variable relations. These techniques need to be complemented by other techniques to provide the following additional capabilities that are often needed: 1. Device-level vs. component-level abstractions. In the qualitative reasoning approaches that we have described, the terms in which the behavior of the device as a whole is described is the same as in the component-level descriptions. For example, suppose we have an electronic amplifier, and the device’s structure is described in terms of its components:
84
6.CHANDRASEKARAN
transistors, resistors, capacitors, and so forth. Let us say that each of these component behaviors is described in terms of their currents and voltages. The techniques for simulation which we have described would produce a description of device behavior in terms of currents and voltages. However, the behavior of the device as a whole in which we are interested is as an amplifier, which is a higher level of description. We need techniques that relate the device-level behavioral abstractions to the descriptions at the component level. 2. Concern exclusively with aspects relevant to the goal. The simulation techniques of qualitative reasoning produce the values of all the component-level state variables that are part of the model. However, many of the state variables may not be of interest to the goal at hand. In the amplifier example, if we are interested in the value of the “amplification ratio” for some configuration of parameters, there may be no need to generate the values of the currents and voltages in circuits that play no causal role in the production of amplification. The computational work needed to generate the values of all the state variables may be reduced if we have a goal-directed simulation strategy, and a representation that helps in identifying the dependences and in focusing the simulation. 3 . Flexibility regarding detail. Human reasoning, while it is largely qualitative in the sense of reasoning over ranges, is also capable of invoking techniques for precise calculation if quantitative information is needed. An engineer might perform some reasoning using qualitative information, formulate a well-posed numerical problem that she might solve on paper or computer, and proceed with qualitative reasoning again. That is, human reasoning flexibly integrates computations of different degrees of accuracy and precision in a goal-directed way. The FR work that we review in this paper provides the complementary function-oriented view that is needed to provide the above capabilities.
4. Functional Representation The functional representation framework is a proposal of top-down representation for goal-directed, flexible reasoning that bridges abstraction levels. It was originally proposed by Sembugamoorthy and Chandrasekaran (1986) for the causal processes that culminate in the achievement of device functions. (Some devices achieve their functions by means of causal processes, while the function of others is explained directly from their structure. We discuss this distinction later, but for now consider only devices wherein causal processes are the means of achieving the functions.)
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
85
In FR, the function of the overall device is described first and the behavior of each component is then described in terms of how it contributes to the function.
4.1 Informal Overview FR for a device has three parts: 0
0
0
a description of intendedfunction (independent of how the function is accomplished) a description of the structure of the device, i.e., what the parts are and how they are connected. (The degree of detail in this description is chosen by the describer.) a description of how the device achieves the function, specifically a process description.
de Kleer (1985) introduced the terms “structure” and “behavior” formally in the study of devices, and also discussed the idea of “functions” as having to do with the teleology of artifacts. de Kleer and Brown (1983) also proposed a process description of mental models of how a device worked. Our work builds on some of these notions. The part of FR that describes the function treats the device as a blackbox, i.e., it makes no assumptions about its internal structure, not to mention any processes that take place in the device. This is because the same function may be achieved in different ways, and thus a description of the function itself should not make any commitments about structure. This may be called the “NO structure in function” principle, a kind of converse of the “No function in structure” principle due to de Kleer. Of course, to describe a function we need to describe a certain minimum amount of structure: how the device is to be embedded in the environment (e.g., where it is to be placed and how it is to be connected), where on the device the operations to initiate the function are to be performed (e.g., turning the switch on for an electrical lighting circuit or an electric iron), and where the functional output is to be realized (e.g., light near the bulb, heat at the ironing plate). Other than this, we only have to describe under what conditions what kinds of predicates are to be satisfied by the device in order for it to achieve the function of interest. That is, a function is represented by describing the context of its application, the initiating conditions and the predicates the device has to satisfy for it to achieve the function. Of course FR as a whole enables us to combine this description of function with how the specific device achieves it, by adding descriptions of structure and the causal processes that make the function happen in device. It is important to emphasize this independence of the what of the function
86
B. CHANDRASEKARAN
from its how, since such a distinction is widely underestood to be an important desideratum for representing function (e.g., Brajnik et af., 1991; Chittaro et al., 1993a,b; Kaindl, 1993). The FR framework honors this distinction. Representing the structure is straightforward: we simply list the component names and their functions and indicate how the components are put together to make the device, i.e., describe the relations between the components. The components functions are described using the same ideas as in the description of the device function. We give examples of such descriptions later in the paper. The basic idea in describing how a device achieves its function is that of a causal process description (CPD). That is, we describe how the device goes through a causal state transition process in which the initial state is the state of the device just at the time the device “starts,” the final state is the state at which the device is achieving the function for which it was designed, and each state transition is explained by appealing to knowledge concerning components or domain. The idea that a behavioral description of a device represents a link between structure and function has been stated often in the A1 literature-from the early works of de Kleer to Gero et al., 1992-but our proposal on CPD takes a very specific stance about what kinds of behavioral descriptions have the explanatory power needed to explain the function and bridge the levels of abstraction between component-level and device-level descriptions. A CPD can be thought of as a directed graph whose nodes are predicates about the states of the device, and the links the causal transitions. The links have one or more annotations that explain the transition. The annotations, according to the theory, belong to certain specific types. Consider a simple electrical circuit with a switch, a voltage source, and a resistor. Let us say that the function we are interested in is the production of heat. A causal account of how this function comes about might be given as follows: A + B + C + D + E, where A is ‘switch is on,’ B is ‘voltage applied between terminals,’ C is ‘current to flow in the circuit,’ D is ‘current flows through the resistor,’ and E is ‘heat generated.’ Normally “ ” can be interpreted as “causes.” CPD is not a neutral description, but one that is oriented towards explaining a selected function. If the function of interest is the production of light and the resistor is a filament inside a light bulb, the link D + E, might read as follows: D is ‘current flows through the resistor,’ and E is ‘light generated.’
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
87
Of course the current through the resistor also produces heat. If we are interested in explaining the production both of light and heat, the graph might look as follows: A-+B-+C-+D-+E L E’ where E corresponds to production of light and E’ to production of heat. Now let us examine how the transitions might be explained. A B: “Closing the switch causes voltage to be applied between the terminals of the circuit .” In explaining this transition we use knowledge about the “closing” function of the switch (the component “switch” had the two functions, “open” and “closed”) and the “voltage” function of “battery. ” The transition B -+ C, ‘the application of voltage causes a current to flow through the circuit,’ invokes the connectivity-providing functions of the various connectors, and also uses a domain law, viz., Ohm’s law. Checking the connectivity functions of the connectors ensures that the structure is in fact a circuit. Ohm’s law can be used to provide qualitative or quantitative information about the quantities involved. The transition C D asserts that ‘current flowing through the circuit means that there is current through the resistor.’ This particular transition is not normally viewed as a causal transition. The explainer is simply inferring a predicate of interest, in this case, that there is current through the resistor. The explanation appeals to the meaning of a circuit. If we want only causal links, we can collapse the two links into one, B D, asserting, ‘application of voltage causes current through the resistor. ’ The explanation would still appeal to the connectivity functions of the connectors and to Ohm’s law. The transition D -+ E, asserting that ‘current through the resistor causes heat to be produced,’ can be explained in different ways. One possibility is to simply point to the scientific laws that relate electricity to heat production in a resistor, similar to the way Ohm’s law was used earlier. Such a law can be given in numerical or qualitative form, as needed. In this case, the link would be annoted as B y - D o rn a in L a w (current-to-heat equation). In this explanation, the domain law is taken as a primitive explanation, satisfactory for the current problem-solving goals. The same transition can be explained by appealing to another process: how electricity gets converted to heat. The link would have the annotation B y - C P D (electricity-to-heat). Someone who already understands this process can use it if needed and build the more detailed (and longer) causal story. This causal process can be explained separately for anyone who doesn’t already understand it. +
+
+
-
88
B. CHANDRASEKARAN
To summarize the various explanatory annotations: i. B y - C P D : This points to another CPD that provides further details of the transition. The details of the CPD may not matter for the current purpose. If they matter, the CPD may be part of the prior knowledge of the agent, or can be explained separately. Potentially long process explanations can thus be hierarchically composed out of other process explanations, making explanation at each level shorter. (The Abel system of Patil et al., 1981, uses a similar approach of describing causal chains with hierarchically increasing details.) CPDs (such as “boiling” in commonsense physics, or “electricity-to-light production” in the circuit example) can be reused, possibly after instantiating some parameters (e.g. , the pressure at which the boiling is done, the liquid that is being boiled, and so on). Human expertise in a domain contains knowledge of a large number of such causal processes that can be parametrized and reused. ii. B y - F u n c t io n -0 f -(component): This annotation appeals to the function of a component as the causal explanation of the transition. A major goal of causal explanation in devices is to explain the behavior of the device in terms of the properties of the components and their interconnections. Again, a large part of the expertise of human experts in a domain is in the form of knowledge concerning generic components and their functions (though, in many cases, how the component functions may not be known). The ability to explain the device functions partly in terms of component functions, and to explain component functions, in turn, in terms of the functions of its subcomponents helps in the formation of functional/component hierarchies in explanation and design. Also, components with different internal structure but the same function can be substituted. iii. B y Do rn a i n La w (law). Another form of explanation is by appeal to domain laws. In the domain of engineering, scientific laws are the ultimate basis of explaining why the device behaves as it does. For example, the state transition, 5 Volts at the input -,2 amps through the load might be explained as B y D om a i n La w (Ohm’sLaw: Voltage = Current *Resistance).
-
-
-
-
For a particular device, any realistic FR description will taper off at some level of components and CPDs. The terms that are used at the lowest level of description are themselves undefined. In explanations directed to humans, these terms are assumed to be part of commonsense knowledge. For machine processing, the terms at the lowest levels of description are just strings of symbols. Thus every FR is inherently incomplete.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
89
Noncausal links. Sometimes additional, noncausal links may need to be added to arrive at the predicate of interest. For example, for an amplifier, we may have constructed the CPD, Voltage I at the input
+
..
-+
Voltage 10 at the output,
but the function that needs to be explained might be Amplification of 10. A noncausal, definitional/abstraction link can be used to arrive at the node Amplification of 10 from Voltage 10 at the output. Such links can be used to indicate an inference that follows from predicates in the earlier nodes. We have given examples of four ways in which a link can be explained: appealing to the function of a component, a causal process, a domain law, or some noncausal inference. In the body of FR research, the set of annotations has been somewhat open-ended and evolving. In the original paper (Sembugamoorthy and Chandrasekaran, 1986), we had made finer distinction for the B y - know 1 e d g e link, and also proposed a B y s t r u c t u r a I- a s sump t i o n s link. The last link was intended to handle situations where the structure as given was not sufficient to justify the causal transition, but, with some additional assumptions about the structure, it was assumed that the transition would work. In the newer versions of the FR language, we include such requirements under various kinds of qualifiers. Vescovi et al. (1993) have identified another link called B y - p a r t i c i p a t i o n - o f (component), to account for the situation in which some aspect of the component that has not been explicitly identified as its function plays a role in some state transition. Qualifiers. In addition to the explanatory annotations, the links may have qualifiers that state conditions under which the transition will take place. In FR the qualifier P r o v id e d ( p ) is used to indicate that condition p should hold during the causal transition in order for the transition to be initiated and completed, and I f ( p 1 to indicate that the condition p should hold at the moment at which the causal transition is to start. The conditions can refer to the states of any of the components or substances. Many of these qualifiers are eventually translated into condition on the structural parameters.
4.2
Components of FR
I will use a running example of a device called a nitric acid cooler (NAC) (Goel, 1989) to illustrate various aspects of FR. Figure 2 is a schematic of the device.
90
6.CHANDRASEKARAN
t
Hot H20
chamber (HEC)
Cold H20
4 P5
’
4.2.1 Structure of a Device The structure of a device is a specification of the set of components that constitute the device and the relations between the components. The components are represented by their names and by the names of their functions, which are all domain-specific strings. Components and functions can have variables as their parameters, and thus may describe classes. In the NAC example, component class pipe(1,d) describes pipes with length I and diameter d , while pipe 2 is a particular instance of pipe(1,d) with specific values for I and d . Similarly, the device NAC as a class has a function coolinput-liquid(rate, temperature-drop), where rate and temperature-drop are capacity parameters of the function cool-input-liquid. A particular NAC might be identified by specific values for these parameters. Devices can have substances whose properties are transformed as part of their functions. Substances can be destroyed and new substances created. Substances can be physical (e.g., nitric-acid) or abstract (e.g., heat). In the NAC example, the substance nitric-acid had properties temperature, flow rate, and amount of heat (which itself is a substance). Components have ports at which they come together with other components in certain relations. For example, the component type “pipe”
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
91
might be written as pipe(1, d; t l , t2), where I and d are the length and diameter, and tl and t2 are the input and output ports. Components are configured in specific structural relations to each other in order to form a device. In an electrical circuit, electrical components are electricallyconnected at the defined terminals. In the NAC example, the relations include conduit-connection, containment, etc. (The relational vocabulary can also include unintended relations, e.g., electrical leakage between electrical components. The components can be in unintended relations to each other as a result of malfunctions.) The vocabulary of relations is domain specific. The semantics of the relations are established by the domain laws that govern the behavior of the components in the given relations. The FR language uses the following keywords for describing structure:
S t r u c t u r e(Dev i c e((device-name), (functional parameters), (ports))), C om P O n e n t ((component-name),
(component parameters), (ports)), F u n c t io n((component)), Re 1a t i on((re1ation ((component, port), ..., (component, port) I >). The structure of NAC is given in Fig. 3. S t r u c t u re((Device(NAC; cooling-capacity and temperntiire parmeters;
ports: PI. P4, PS. P7)) Component 3 : pipel(l1, d l ;p l . p2), pipe2(12,d2;p2,p3), pipe3(Il,dl;p3,0iitput) Heat-exchange-chamber(cditnension.~>, Input-port, oilpiir-port) Water-pump(lnput,Outpiit) F u n c t ion@ipetJ: Conduit (input. output) F u n c t ion(Heat-exchange-chamber):erchan,.c-heat(<paretcrs>) F u n c t ion(Water-piinrp):........ Re 1a t i o n s : Component (pipe2) contained-in Component (Ileat-exchangechamber) Component@ipel) conduit-connected (pipe2) ( P o r t s :&formation about ports>) Component(lVarer-primp)conduit-connected Component(Heatuchange-chamber) ( P o r t s :cinfonationabout whichportsof Exchange Chamber is the same components are connected, e.g., Input-port of Heatas the Output of Water-pwnp>)
FIG. 3. Structural description of NAC. (From Chandrasekaran, B., Goel, A., and Iwasaki, Y ., “Functional representation as design rationale,” IEEE Computer, January 1933, pp. 48-56. 0 1993, lnstitute of Electrical and Electronic Engineers. Reprinted with permission.)
92
B. CHANDRASEKARAN
In the figure, the terms in italics are domain-specific names for functions, components, relations, etc. The interpreter for FR treats them as strings. The terms in c o m p u t e r f o n t are terms in FR. Additional domainspecific interpreters may be able to use the italicized terms as meaningful keywords. For example, a mechanical simulator can use terms such as contained-in and conduit-connected to perform simulations. For the purpose of this exposition, they are to be understood in their informal, English-language meanings. The syntax of the R e Ia t i on s keyword is that an n-ary relation has n components, moreover, a p o r t s term indicates which ports of the components are connected. Note that the components are described purely in terms of their functions. In principle this makes it possible to replace components by structurally different but functionally identical components. Further, the components themselves can be represented as devices in their own terms.
4.2.2 States and Partial States A device state is represented as a set of state variables I V,) consisting of the values of all the variables of interest in the description of the device. State variables can be either continuous or discrete. In particular, some of the variables may take truth values (T,F] as their values, i.e., they are defined by predicates. An example of a continuous variable is water temperature in a device that uses water for cooling a subsance. An example of a variable defined by a predicate is ?open(valve). This variable will take the value T or F depending upon whether the valve is or is not open. In describing functions and causal processes, we generally speak in terms of partial states of the device. A partial state is given by the values (or some constrairits on the values) of a subset of state variables. For example, the partial state (call it statel) of NAC (describing some relevant state variables at the input p l of the device) can be given as (substance: nitric acid; location (substance): p l , temperature (substance): T , ]. State2, describing the properties of nitric acid at location p2, will only differ in the location parameter, while the partial state descriptions, state3, at a location p3 will be (substance: nitric acid; location (substance): p3, temperature (substance): T 2 ) ,where T2 < T , .
State Description Languages. The language in which states are represented is itself not part of the representational repertoire of FR and is largely domain specific. In economics, the state variables would be entities such as GNP, inflation-rate, etc; in nuclear plants, an entity might be radiation-level. Goel (1989) has defined a state description language which is useful in describing devices that deal with material substances that change
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
93
locations, e.g., those in which substance flow is a useful notion. The state representation we just used for NAC employs this language. In NAC and many other domains a state can be represented by a real number, a binary predicate, or a vector of real numbers and predicates.
Shape-Based States. In principle the states can be images or shapes, in addition to symbolic entities as in the examples so far. For example, when we want to describe the causal process corresponding to the flow of hot molten metal into molds, the relevant intermediate states may be shape descriptions. (See Chandrasekaran and Narayanan (1990) and Narayanan and Chandrasekaran (1991) for descriptions of work relating to such visual simulations.) State Abstractions. Consider a device which, at one level of description of states, has one of its state variables, say s, going through the following partial states repetitively: ( - 1 ,0, 11. That is, the state variable is oscillating around 0. Suppose we define another state variable ?oscillating by a process of abstraction from the values of s over time. This would be a binary variable taking on the value Yes if the values of s are cycling through ( - 1,0, 1 J and No otherwise. Allemang and Keuneke (1988) discuss a number of issues in creating such abstractions (see also Weld, 1986). Which state variable behaviors are abstracted and the way this is done are determined by considerations outside the physical system itself. In fact, all descriptions of physical systems at any level presuppose and arise from a set of problem-solving goals. Whatever state variables we use to describe a system at the lowest level can themselves be defined from such a process of abstraction from physical behavior at even lower levels; there really is no way of representing any real-world system in a truly neutral way.
4.2.3 Causal Process Description Formally, the causal process description (see Iwasaki and Chandrasekaran, 1992) is represented as a directed graph with two distinguished nodes, Ninit,and Nfin.Each node in the graph represents a partial state of the device. Ninilcorresponds to the partial state of the device when the conditions for the function are initiated (such as turning a switch on). Nfin corresponds to the state where the function is achieved. Each link represents a causal connection between nodes. One or more qualifiers are attached to the links to indicate the conditions under which the transition will take place, and one or more annotations can be attached to indicate the type of causal explanation to be given for the transition. The graph may be cyclic, but there must be a directed path from Ninitto Nfin.
94
B. CHANDRASEKARAN
state1
CPD-1:
state3
0
HNO3 at temp T1 at location p l
CPD-2 :
Stat&?
0 Water at temp T3 at input to water-pump
HN03 at temp T1 at location p2
Water at temp T3 at input to Heat-exc hanger
HN03 at temp T2 (T2 c T1) at location p3
Water at temp T4, T4 > T3 at output of Heat-exchanger
Note :srurel, stare2 and state3 are described more formally in the text. The transition from stare2 to stare3 is described in Fipre 3 with annotationsand qualifiers. FIG. 4. CDPs for device NAC (without link annotations). statel, stute2, and state3 are described more formally in the text. The transition from state2 to state3 is described in Fig. 3 with annotations and qualifiers. (From Chandrasekaran, B., Goel, A., and Iwasaki, Y. (1993) "Functional representation as design rationale," IEEE Computer, January 1993, pp. 48-56. 0 1993, Institute of Electrical and Electronic Engineers. Reprinted with permission.)
In the NAC example, let nodes statel, state2, and state3 correspond to the states of nitric acid at the input to pipel, at location p2, and location p3, respectively. Figure 4 depicts the CPD graph (without any annotations or qualifiers) describing what happens to nitric acid and water as they flow through the chamber. In the figure, the nodes are described in informal English, but they can be described more formally similar to my earlier description of statel.
state2
b
state3
Domain-law: zeroth-law-of-thermo-dynamics Qualifiers:(appropriate enclosures ofpipes in chamber)
FIG. 5 . Annotations and qualifiers for a causal transition in NAC.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
95
Annotation of Links in CPD. This example will illustrate the use of three types of annotation for explaining causal transitions: appealing to another causal process, to a function of a component, or to domain laws (so-called first principles of the domain). It will also illustrate the use of qualifiers, or conditions on states or device parameters for the transition to take place. Figure 5 shows one fully annotated causal transition in the Nitric-AcidCooler. It uses two functional and one domain law annotations, and employs conditions on the structure and substances as qualifiers. The qualifiers include conditions on the properties of the substance (it should be a liquid of low acidity) and structural conditions (the chamber fully encloses pipe2). Note that a transition may have more than one annotation or qualifier.
4.2.4 On Functions Types of Functions. Keuneke (1989, 1991) has identified four types of functions: T o M a k e , T o M a i n t a i n , T o P r e v e n t , and T o C o n t r o l . (Franke, 1991, on device properties such as “guarantee,” “prevent,” etc., is motivated by quite similar ideas.) Formal definitions of these function types have been developed (Iwasaki and Chandrasekaran, 1992), but for our current purposes the following informal ones should suffice. All the function types above except T o C o n t r o 1 take as argument a predicate, say PF,defined over the state variables of the device. A function is of the T o M a k e type if the goal is to make the device reach a state in which PF is true such that after that state is reached, no specific effort is needed to maintain the predicate’s value True, or it doesn’t matter what state the device enters after the desired state is reached. A function is of type ToMa i n t a in if the intention is to bring the device into the desired state and the device has to causally ensure that the predicate remains True in the presence of any external or internal disturbance that might tend to change the device state. A function is of type T o P r e v e n t if the goal is to keep PF from ever being true, and some active causal process in the device is required to ensure it. (While logically T o P r e v e n t P can be written as T o M a i n t a i n (Not P), there are important differences in practice. Pragmatically, a designer charged with making sure that a device will not explode uses knowledge indexed and organized for this purpose. This prevention of explosion-say by using a thick pipe-is not the same as maintaining some dynamic state variable in a range.) The function type T o C o n t r o 1 takes as argument a specified relation uo = f ( q ,..., uJ between the state variables o,, v l , ..., vn, and the intent is to maintain this relationship. That is, we wish to control the values of specific variables as a function of the values of some other variables.
96
B. CHANDRASEKARAN
A function F thus has the following descriptive elements: F u n c t i o n ((function-name)) D e v i c e ((device-name)) T y p e ((function-name or device-name)) S t a r t - C o n d i t i o n s ((conditions); The conditions under which the
function will be initiated) F u n c t i o n - P r e d i c a t e or C o n t r o l - R e l a t i o n ((predicatelcontrol
relation); the predicate that has to be reached, maintained, or prevented, or the control relation that has to be maintained) B y - C P D ((set of causal-process-descriptions); explains how the function is achieved) Consider the example of a nitric acid cooler in Fig. 2. Hot nitric acid goes into a heat exchanger and exchanges heat with the water being pumped in. The water gets hotter while the acid gets cooler. The functional definition of NAC can be given as follows. F u n c t i o n (Nitric-acid-cooling) D e v i c e (NAC) T y p e (To-Make) S t a r t C o n d i t i o n s (Input temperature of Nitric Acid = T I ) F u n c t i o n P r e d i c a t e (Outlet temperature of Nitric Acid = T2,
-
-
T2 <TI) B y-C P D (CPD-1 in Figure 4) The complete FR is given by specifying the device name, its structure, the state variables of interest, the functions of interest, and the functional template, including the CPDs using the representational primitives we have just described. Many implementations exist for the FR language, with somewhat different syntax in each implementation. We have used a composite syntax, chosen mainly for expository effectiveness, omitting many of the details by giving English-language descriptions of the intended information within parentheses or curly backets. For example, we say q u a 1 i f i e r s : (appropriate enclosures of pipes in chamber) in Fig. 5 . A detailed syntax for representing the relevant relations about pipes is in fact available (Goel, 1989). Function types such as T o - M a i n t a i n and T o - P r e v e n t apply not only to engineered artifacts, but to reasoning about natural phenomena as well: e.g., “The centrifugal force prevents the satellite from escaping into space,” and “The raidevaporation cycle maintains the salinity of the oceans. ’’
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
97
Passive Functions. So far, all our discussion of function has been in the context of temporally evolving causal processes. Keuneke (1989) made a distinction between “active” and “passive” functions. A chair satisfies the function of providing a seat for a person, but normally we don’t explain this functionality by giving a description of all the state changes which the chair goes through as a person sits on it. This is not to deny that such a description can be given, but simply to point out that the function is normally explained as a match between the structural properties of the chair and how that meets the need to provide a seat. Similarly, a flower arrangement provides the function of decorating a room. Again, a description of how it achieves this function can be given by describing some process in which a viewer goes into a state of enjoyment, but the flower arrangement as such is not explained as something that undergoes a process involving state transitions in order for it to achieve the function. In these cases, the object achieves a function simply by virtue of its structural properties. Such devices can still have parts and parts may have functions as well, and the device function as a whole still arises from the parts achieving their functions. For example, in describing how a chair achieves its function, one might say at the top level that a chair has the structural property that a component with the function “support human bottom comfortably” is attached in a certain physical relation to a component with the function “elevate the device from the floor at a height equal to the length of average human legs,” and optionally, in a certain physical relationship to two components with functions “support arms.” Each of the component functions can be defined in terms of certain structural properties. With the exception of a recent thesis by Toth (1993)’ wherein she considers the functions of mechanical structures (such as frames and trusses), there has not been much work in the FR framework for representing such passive functions. In visual recognition, there have been studies (e.g., Stark and Bowyer, 1991; Brand et al., 1992; Rivelin et al., 1993) that attempted to use such functional notions to recognize the identity of objects in a visual scene. Traditionally, programs for recognizing chairs in scenes would have some sort of a structural template or description of a chair, and the recognition process would consist of trying to match this template against the visual scene. In this approach the recognition system can only recognize types of chairs for which it has a structural description. On the other hand, a person who has never seen a bean-bag chair might recognize it as a chair. Function-based recognition may actively use the hierarchical functional model of what makes a chair a chair, namely, it has parts that serve the role of a seat, and so on, to check if the object can serve the function.
9a
8. CHANDRASEKARAN
Content-Theory of functions. In specific domains, we can develop theories of elementary functions that can be combined to make more complex functions. When the domain involved is of great generality, such as mechanical force transmission, such a content theory can be widely useful. Hodges (1992) has developed a set of useful basic functions in the domain of physical objects that interact on the basis of shape. Examples of such elementary functions are linkage, lever, gear, pulley, screw, spring, and container.These functions themselves are defined in terms of a vocabulary of state change operations, such as move, constrain, transform, and store. functions lntrinsic to Objects? How closely should functions be attached to object descriptions? There has been much debate about the distinction between “function,” “behavior,yyand “use.” There is a view that the functions of an object are strictly outside the supposedly more intrinsic behavioral description of an object. That is, functions are seen as constituting a separate ontological category from behaviors, and behaviors are viewed as part of a neutral description of objects. Yet another proposal attempts to make distinction between the “use” made of an object and its intrinsic function. Any description of an object makes choices from available descriptive terms. The behavior of a physical object might be described by one observer in terms of currents and voltages, while another observer might describe it in terms of amplification. The former description is no more intinsic than the latter, since the description in terms of currents and voltages is already based on a point of view that chooses both to omit certain things about the object (e.g., color, weight, etc., in the case of a circuit) as well as to commit to a certain level of abstraction (the same object could have been described in terms of more fundamental physical phenomena, say its atomic behavior). There is thus no completely neutral description of an object’s behavior. We have proposed that “function” be interpreted as a distinguished behavior of interest for some observer. There is no commitment to the use of the object for a purpose. However, someone who uses an object in a certain way is an observer for whom the behavior of interest is the one that corresponds to her use of it. Thus, in the sense in which we propose to use the terms, the representational terminology for “use” is the same as that for “function,” which is the same as that for “behavior.” Function is simply a behavior of i n t e r e ~ t and , ~ the use of a device in a certain way is possible because it is capable of behaving in that way. Again, this is only for devices whose functions arise because of the state changes that the device passes through. As we mentionedearlier, there are devices whose behavior arises from the very structure of the device, and, in these cases, functions are not to be viewed as “distinguished behaviors of interest.” A more general framework is one in which functions are “distinguished properties of interest,” where properties may be behavioral states or structural properties.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
99
What is the function of a thermostat? To maintain the temperature in a room within a given range? To regulate the flow of electricity to the heater as a certain function of temperature? To regulate the flow of electricity as a function of a specified spatial distance inside a bimetallic strip? None of these descriptions is intrinsic to the piece of matter that we call thermostat. Depending upon how we model the embedding context, all of the above descriptions can be supported. Consider the following CPD: “ ( T c T , ) -+strip curls in end makes physical contact switch closed furnace is on temperature increases.” If we model the thermostat as embedded in the physical circuit, we can halt the “intrinsic” description of the thermostat at “end makes physical contact.” If the embedding context is modeled as an elecrical circuit, the thermostat description extends up to “switch closed.’’ And so on. There is nothing intrinsic about it, though, clearly, there may be some conventions regarding well-known devices that tell us where the description normally halts. The notion of an intrinsic level of description for physical objects derives from a belief in reductionism that all of us have been raised on, namely, that physics gives us the fundamental level of reality, moreover, all other (higher) levels can be reduced to it. That might be an appropriate doctrine about the nature of reality, but reasoning about the world requires levels of description corresponding to levels of interest. Our knowledge of causality ties descriptions at various levels: events both within and between levels are causally linked. A theory of reasoning about the physical world cannot be based on the notion of a reductionistic “intrinsic” physical description. +
-+
-+
-+
4.3 Remarks on FR 1. Nodes in CPD are partial states. The nodes in the graph are partial
states, i.e., predicates about some aspect of the device, not a complete description of all the states of the device. 2. The level of abstraction of the predicates in the CPD is that needed f o r the causal story. Some of the predicates may directly correspond to component-level state variables, while others may have only a devicelevel existence. In the CPD in the electrical circuit example, heat and light are device-level state variables, while voltages and current and the off or on status of the switch are component-level variables. 3. FR is underdetermined by the underlying structural description. The form assumed by an FR is not unique. For the same physical system, not only are there different FRs for different functions, but even for a given function, different FRs can be written. The differences could reflect different assumptions about background knowledge, different decomposition strategies, and, to some extent, different intended uses
100
B. CHANDRASEKARAN
for the FR. Suppose the FR model is going to be used for diagnostic purposes. Appealing to the domain laws that relate current to heat might be sufficient if all we want to do is to check whether a resistor is faulty and, if so, to replace it. However, if it is a matter of inventing different types of materials from which the resistor is to be produced, a more detailed CPD that refers to the properties of the resistor material may be more useful as an annotation for the same link. It should be emphasized, however, that being goal dependent is not the same as being arbitrary or simply subjective. The FR is still intended to represent reality, but what aspects are chosen and what levels of abstraction they are represented in depend on the problem-solving goal. 4. The CPD integrates the “object”and the “process” views. The CPDs in the FR view integrate the process (Forbus, 1984) and object (de Kleer, 1984) views in modeling a physical system. Components have functions that are realized through CPDs that, in turn, appeal to functions of other components. 5 . FR and CPDs capture causal understanding in general. So far, we have talked about functions of devices, i.e., roles intended by designers or users for some physical objects. But, as stated earlier, the FR framework is really a framework for causal understanding, not just for representing functions of engineered artifacts. Consider the following questions: i. How does this device work (i.e., deliver the intended function)? ii. How does cancer “work”? (i.e., what is the mechanism of cancer?) iii. How do clouds make rain? How are mountains formed? iv. How does the immune system work? v. How does this program work? How does this algorithm work? vi. How is sticking pins in the doll going to bring my lover back? (i.e., How does voodoo work?) Question i of course captures the traditional notion of a function of an engineered device. In question ii, cancer is hardly an intended function. The questions in iii are about natural phenomena. The scientific temper of our times would be inimical to talking as if clouds have an intended function to make rain, or that geological processes were intended to form mountains. Regarding question iv, the theory of evolution allows us to talk about the function of immune systems (to give the organism immunity against infections) and the function of the heart (to pump blood). In the questions in v, we do not have a physical object at all, but an abstract object of some sort, and we still often talk about it in the same way as we talk about causal
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
101
processes in physical objects. In question vi, while the particular voodoo practice has an intended function and the voodoo practitioner is likely to give a causal account, it is not something we would believe in. Let us first consider particular cases from this list that correspond to physical phenomena. If we interpret the term “function” not in the sense of an intended state, but in the sense of a role or state of interest, it becomes apparent that the casual accounts that are needed to explain the phenomena are of the same type as those we are attempting to capture in CPDs. That is, we are interested in explaining the occurrence of a distinguished slate of interest: in i, the device reaches a state corresponding to the intended function, in ii, the cellular mechanisms reach a cancerous state, in iii, a collection of water molecules with certain properties reach a state corresponding to forming rain, and in iv, the body reaches a state in which invading organisms are destroyed. The functional state in an artifact is simply a type of distinguished state of interest. In the case of abstract systems such as programs (question v), we still have components (modules in programs), their functions (i.e., identified roles to play in the achievement of the goal), and structure (control structures for programs that define how the modules are invoked and how their results are used). We talk about program states changing as a result of certain operations. Allemang (1990, 1991), and Allemang and Chandrasekaran (1991) construct FRs and CPDs for computer programs. Discussions of the metaphysics of how notions of a causal process may be applied to mathematical objects such as programs are beyond the scope of the present article. At least formally, however, the FR machinery is both applicable and useful. Question vi is interesting in another way. The causal story it tells is, at least according to the lights of science, a false one. But what is interesting is that such an explanation has the same logical structure as the causal story that a scientist would construct for a natural phenomenon. The explanation of the voodoo process probably goes something like “Sticking of the pin causes such and such spirits to be awakened who, in turn, do such and such things. . .” If asked for an explanation of each causal transition, explanations are likely to appeal to the functions of the various spirits, some recognized causal process in the voodoo theology or some recognized domain relations. That is, what makes the voodoo explanation false is not the form or logic of the explanation, but the phenomena that are appealed to in the explanations. The point of the above discussion is that the underlying framework for capturing the logic of a causal mechanism explanation has broader applicability than just to engineered artifacts. The framework itself can be thought of in terms of an explanation of how certain distinguished states of
102
6. CHANDRASEKARAN
interest are, or are not, caused, and what roles the parts of the configuration play in this process. When we design an artifact with a function in mind, we want to create a configuration that can reach states satisfying the predicate corresponding to the function of interest, and we want the various parts of the device to play certain causal roles in this process. When we debug an artifact that is malfunctioning, we want to know why the configuration is not reaching certain distinguished states of interest. But, even in the engineering domain, the logical form of the explanation of the causal processes is itself independent of the notions of desired or undesired functions. In what follows, we will in general speak of engineering artifacts and their intended functions, but it should be kept in mind that many of the points we make can be restated with respect to the general problem of understanding the causal processes of configurations, whether physical or abstract.
4.4 Applications of FR The FR framework in its various forms has been used for a variety of problem-solving tasks. In this section, I review, in varying detail, a number of these tasks.
4.4.7
Generating Causal Explanation by Simulation’
The Problem Statement. Consider the following problem. Given a set of observations and a diagnostic hypothesis, construct an explanation of how the hypothesized malfunction caused the observations. That is, construct a set of causal stories each of which starts with the hypothesized malfunction and concludes in one or more observations. In the following, I describe the work of Keuneke (Keuneke, 1989) on the use of FR for solving this problem. Technical definitions of a few terms may be useful:
Observations. Observable state variables. Some of the observations are called symptoms, which are abnormal state variable values indicative of malfunctions that trigger the diagnostic process, e.g., specification of a drop from normal pressure. Malfunctions are observations that correspond to device-level functions that are not being delivered. (Malfunctions are symptoms as well.) The rest of the observations give information about the
’
This section is adapted from Tanner, M. C., Keuneke, A. M., and Chandrasekaran, B. (1993). Explanation using task structure and domain functional models. In Second Generation Expert Systems (J. M. David, J. P. Kriviner, and R. Simmons, eds.), Springer-Verlag, pp. 596-626.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
103
state of the device, but are not immediately classifiable as abnormalities. Most observations on a complex system are of this type. Diagnostic hypotheses. These are malfunctions of components or missing (but expected) relationships between components. A missing relationship would eventually result in the enclosing subsystem turning into a malfunctioning component. Causal explanation. A CPD that starts with a diagnostic hypothesis and concludes with one or more observations that are to be explained. The explanation sought can be formally stated as follows: diagnostic hypothesis
--*
x1 --*
...xi
--*
‘*‘xN
‘*‘
where each xi is either (1) a state that is causally relevant to producing an observation, but is itself not a malfunction, (2) a component or subsystem malfunction, or (3) an observation at the device-level.6 In Keuneke’s work, the diagnostic hypothesis is assumed to have been generated by some form of “compiled” reasoning, and FR is used to check whether the hypothesis makes causal sense.
Generating the Malfrrnction Causal Chain. The organization of a functional representation gives both forward and backward reasoning capability, i.e., it can trace from the hypothesized malfunction to observations (forward), or it can trace from observations to the hypothesized malfunction (backward). This section describes an algorithm that demonstrates the forward simulation potential.’ Specifically, if a device A is malfunctioning, devices that use device A (say devices B and C) have a high probability of malfunctioning as well. Similarly, devices that use B and C may malfunction as well, etc. The malfunction causal chain is achieved through the following algorithm, which we have condensed in order to illustrate the main points. 1. Set Observations to the symptoms to be explained, and set
HypothesisList to the set of diagnostic hypotheses. Initialize HypothesisObject to an individual diagnostic hypothesis in this set (diagnosed hypotheses and their relationship to observations are considered individually). In some cases (3) could be (2) as well, i.e., they are not mutually exclusive.
’ Note that since the explanation generation mechanism uses expected functionalities and their causal processes rather than all behaviors that could possibly be generated, the problem space is bounded and thus focused.
104
B. CHANDRASEKARAN
2. Identify the function that HypothesisObject names as missing. From the FR of the device, find all functions that make use of this function, and call this set PossibleMalfunctions. 3. For each element in PossibleMalfunctions (call the specific function PossMal) consider the significance of the effect of HypothesisObject on the function: If no effect on PossMal then remove from PossibleMalfunctionsHypothesisObject is not causing future problems. Consider the next element in PossibleMalfunctions. Else maintain (Malfunction -+ Malfunction) explanation chain; HypothesisObject is now known to cause a malfunction to PossMal. Specifically HypothesisObject -, PossMal is appended to chain. Note that this step will ultimately place any potential malfunctions in a malfunction chain, including those that are in the set of Observations. Continue. 4. Check the states in the causal process description of the affected
PossibleMalfunction. Would noncompletion of these states explain any symptom(s) in Observations? If yes, append to ExplainedSymptoms and print the chain that led to this symptom. Complete the malfunction explanation chain by continuing. 5 . Set HypothesisObject to PossMal. 6. Repeat the process from Step 2 until all symptoms are in ExplainedSymptoms or the top-level causal process description of the device has been reached. 7. Repeat from Step 1 until all elements of HypothesisList have been considered. Step 2 is easily accomplished through the component hierarchy of the functional representation (see example to come soon). Steps 3 and 4 are more intricate and involve knowledge of function type (such as whether it is T o - M a k e, T o - P r e v e n t , etc.) and the achievement of the intended causal processes. For example, in Step 3, to determine the effects of a malfunction on other functions, one must consider the possible consequences of the malfunctioning components. In general, the malfunction of a component in a device can cause one or more of the following three consequences: 0
NOT Function: the expected results of the function will not be present. Given that the malfunction is not producing the expected results within
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
0
0
105
the causal process, what states in those causal processes will not occur? And, will the lack of this functionality result in malfunctions of functions in which the malfunctioning component was used? Parameter Out-of-Range: the expected results of the function are affected, but the function is still accomplished to a limited degree. Sometimes components may be considered malfunctioning yet can still perform the function (or value of some substance parameter) to the extent needed for future use. New Behaviors: The malfunction results in behaviors and states that were not those intended for normal functioning.
The determination of whether a proposed malfunction can explain a symptom, Step 4 in the explanation algorithm, can be established by a number of means. The following is a nonexhaustive list: 1. Check each state in the causal process description in which the
malfunctioning component is used to see if there is a direct match between a symptom and not achieving an expected state. 2. Check to see if the function that is malfunctioning has an explicit malfunction causal process description and if the symptom is included therein. 3. Check to see if side-effects of the function’s causal process description refer to variables involving the symptoms. 4. Check each state in the malfunction causal process description and its provided clause to see if expected states point to general concepts or generic classes of behavior (such as leak, flow, continuity) and if the symptom pertains to or is explained by such concepts.
Representation of a Chemical Processing Plant. This section provides the output for a sample explanation in the domain of chemical processing plants (CPP). The hierarchy in Fig. 6 shows a partial representation of the functional components with their intended functions (functions are specified under component names). The top-level function, produce. acid, is achieved by the causal process oxidation shown in Fig. 7. The function hierarchy is generated from the CPDs for the FR of the plant. For example, C P P uses the functional components LiquidFeedSystem, AirFeedSystem, Transfersystem, etc., in the process oxidation, which represents the causal chain used to achieve the function produce. acid; Transfersystem uses the functional components, AirFeedSystem, MixingSystem, etc., in its causal process to achieve the function extraction, and so on.
106
B. CHANDRASEKARAN ControlLiquimlar
controlamount
controlheat rmsnrruContro1Syit.a PresaureCtrl
!
CoRd.n..t.WitMr.u~1syy.tu
LlquidConcCtrl retrieve1 iquid
FIG. 6. Partial functional hierarchy of the chemical processing plant. (From Tanner, M. C., Keuneke, A. M.. and Chandrasekaran, B. (1993). “Explanation using task structure and domain functional models,” in Second Generation Expert Systems (J. M. David, J. P. Krivine, and R. Simmons, eds.), Springer-Verlag, pp. 599-626. 0 1994, Springer-Verlag. Reprinted with permission.)
The Problem
CoolantSystem (identified at the right of Fig. 6 ) is used to provide coolant water to Condenser for transferring heat from the vapor in Condenser (see Fig. 8). Suppose the coolant water has been completely cut off. A diagnostic system has concluded that a malfunction of the function provide. coolant of CoolantSystem explains the symptoms of NOT (present product external. container) and NOT (temperature rxvessel at. threshold). Specifically, HypothesisObject is provide.coolant of CoolantSystem and the observations to be explained are (NOT (present product external. container), NOT (temperature rxvessel at. threshold) ) . The system produces three casual stories. Causal Story I: Generation of Causal Connections
The causal process SupplyReactants uses the functions retrieveliquid and LiquidConcCtrf,in addition to the LiquidFeed System and AirFeedSystem. The explanation system generates the following:
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
107
(amount acid belou.threshold)
I
I
By aopp1,PuatuIt.
(present reactants rxvessel) BY PuatMt-ntmat
UIU uoth.PL..ruati~...
-mu:
lamount heat rxvessel increased) Dy: 04.luat&xi&tioll.a.
I
(condition rxvessel sufficient)
produat..~l.(u.r.
(present acid rxvessel)
I
oainglmnation utmotion of Trmnafuryatr
(present product external.container)
FIG7. Causal process oxidation used by function produce.acid. (From Tanner, M. C., Keuneke, A. M., and Chandrasekaran, B. (1993). “Explanation using task structure and domain functional models,” in Second GenerationExpert Systems (J. M. David, J. P. Krivine, and R. Simmons, eds.), Springer-Verlag, pp. 599-626. 0 1994, Springer-Verlag. Reprinted with permission.)
o.ing~onon:*-id..aoolmr O f Coo1.ntny.t..
(surrounded vapor coolant) Q.iDg~~ion:hUt.truI~fu or Coo1.ntay.t-
(temperature vapor decreased) Uru:hut.tr.n.ru/c~w~tion .t d-int
FIG. 8. Remove-heat function of Condenser. (From Tanner, M. C., Keuneke, A. M., and Chandrasekaran, B. (1993). “Explanation using task structure and domain functional models,” in Second GenerationExpert Systems (J. M. David, J. P. Krivine, and R. Simmons, eds.), Springer-Verlag, pp. 599-626. 0 1994, Springer-Verlag. Reprinted with permission.) The symptom NOT ( p r e s e n t p r o d u c t e x t e r n a l . c o n t a i n e r ) i s e x p l a i n e d b y t h e f o l l o w i n g chain: NOT p r o v i d e . c o o l a n t causes m a l f u n c t i o n i n condense causing malfunction i n r e t r i e v e l i q u i d causing malfunct i o n i n L i q u i d C o n c C t r l causing problems i n b e h a v i o r S u p p l y R e a c t a n t s which i s used i n b e h a v i o r o x i d a t i o n and i n d i c a t e s m a l f u n c t i o n o f t h e t o p l e v e l f u n c t i o n and results i n NOT ( p r e s e n t p r o d u c t e x t e r n a l . c o n t a i n e r )
108
6. CHANDRASEKARAN
The idea here is that if the required amount of reactants is not available, the product is not produced as desired and, thus, can not be retrieved. The explanation system generates this chain by means of the following information: provide. coolant caused a malfunction in condense because it caused a failure in the behavior of condense. A malfunction in condense caused a malfunction in retrieveliquid because its achievement was required to attain the desired CPD for retrieveliquid. retrieveliquid caused a malfunction in LiquidConCtrl because it was needed to provide the preconditions for LiquidConcCtrl and it preceded the use of LiquidConcCtrl in the behavior SupplyReactants. SupplyReactants was used in the causal process Oxidation (see Figure 7), to achieve the state (present reactants rxvessel). This state was necessary for the completion of the CPD and thus nonachievement here denotes nonachievement of further states in the CPD, particularly NOT (present product external. container). Causal Story 2: The Use of Side-Effect Inspection
The explanation system continues and finds a causal connection for the second symptom, NOT (temperature rxvessel at. threshold). T h e symptom NOT ( t e m p e r a t u r e r x v e s s e l a t . t h r e s h o l d ) i s e x p l a i n e d by t h e f o l l o w i n g c h a i n : NOT p r o v i d e . c o o l a n t c a u s e s m a l f u n c t i o n i n c o n d e n s e
causingproblemsinbehaviorremoveheatoffunctioncool.
Since cool is not a top-level function of the chemical processing plant, the trace continues until all consequences are determined. T h e symptomNOT ( t e m p e r a t u r e r x v e s s e l a t . t h r e s h o l d ) i s e x p l a i n e d by t h e f o l l o w i n g c h a i n : NOT p r o v i d e . c o o l a n t c a u s e s m a l f u n c t i o n i n c o n d e n s e causingmalfunctionin coolcausingproblems i n behavior compensate.oxidation.se, a n o t a b l e s i d e e f f e c t b e h a v i o r usedinoxidationand indicates NOT ( t e m p e r a t u r e r x v e s s e l a t . t h r e s h o l d )
Notice that this explanation identifies that the symptom was observed in a side-effect behavior (compensation for effects of the reaction), rather than a behavior of the main functionality (production of acid). Causal Story 3: Using Subfunction Connections for Causal Focus
A final statement is made when the system has inspected all the relevant causal chains. The final causal path is achieved via causal connections obtained specifically through the knowledge of subfunctions. In its specification, the function extraction has a P r o v id e d clause that specifies that
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
109
the solid acid slurry must have the proper consistency so that flow through the extraction tube is possible. The function SolidConcCtrl is present in this device for the sole purpose of producing these conditions for extraction. The purpose of SolidConcCtrl is to keep the solid suspended and maintain the concentration in the reaction vessel at the proper consistency. In the CondensateWithdrawalSystem, the retrieveliquid function uses Condenser to retrieve the condensate from the vapor produced. The MixtureLevelCtrl function then uses a feedback controller to maintain the flow and, thus, the desired amount of liquid in the reaction vessel-which ensures that the acid slurry has the proper consistency. If the liquid is not retrievable, then, obviously, the condensate flow cannot be controlled and the consistency of the acid in the vessel is not maintained. The explanation system provides this explanatory story as follows: One f u n c t i o n a f f e c t e d b y p r o v i d e . c o o l a n t i s S o l i d ConcCtrlwhich i s a necessary subfunctionof e x t r a c t i o n . T h e s y m p t o m NOT ( p r e s e n t p r o d u c t e x t e r n a l . c o n t a i n e r ) i s e x p l a i n e d b y t h e f o l l o w i n g c h a i n : NOT p r o v i d e . c o o l a n t causes m a l f u n c t i o n i n condense c a u s i n g m a l f u n c t i o n i n r e t r i e v e l i q u i d causing malfunction i n M i x t u r e L e v e l C t r l causing malfunction i n SolidConcCtrl causing malfunct i o n i n e x t r a c t i o n causing malfunction i n produce.acid causing NOT ( p r e s e n t p r o d u c t e x t e r n a 1 . c o n t a i n e r ) Discussion
The intrinsic limitations of a functional representation for explanation arise from its intrinsic limitations for simulation. The representation uses prepackaged causal process descriptions that are organized around the expected functions of a device. Simulations of the malfunctioning devices are thus limited to statements of what expectations are “not” occurring. This limitation affects the capabilities for explanation in two significant ways. First, the functional representation is not capable of generating causal stories of malfunctions that interact unless the device representation has this interaction explicitly represented. Similar problems regarding the interactions of malfunctions arise in diagnosis (Stricklen et al., 1985). Secondly, “new” CPDs, i.e., CPDs that are not those intended for normal functioning, but, rather, arise due to a change in device structure, could potentially lead to symptoms that cannot be explained using the functional representation. Additional research focusing on how a functional organization might be used to determine these new behavioral sequences, in addition to determining how conventional methods of qualitative reasoning may be integrated, is needed.
110
B. CHANDRASEKARAN
4.4.2 Parametric Simulation Let us say we have a CPD associated with the function
~I-"..-+s.--'...
SF
where sI is the initial state and , s the functional state desired. This CPD packages a simulation sequence. If all the conditions for sI and the next transition are satisfied, the partial state corresponding to its successor will be achieved and similarly for the next transition, and so on. The nodes in CPD and the conditions on the links may be represented parametrically. In that case, CPD becomes a parametrized family of behaviors. Specific behaviors can then be derived for particular situations represented by a particular set of parameters. DeJongh (1991) uses the idea of parametric simulation to reason about classes of functional systems in the domain of blood typing and testing. The members of the class follow the same causal process, but differ in the various parameters associated with the values of the variables. For example, the way that the function of preventing spontaneous agglutination is achieved by the red cells is represented parametrically. Similarly the class of test procedures is also represented as a class of devices that use specific causal processes to achieve the test functions. Stricklen and his group (Pegah et al., 1993) have been most active in developing techniques for the use of FR in simulation. Each CPD is a prepackaged simulation sequence of states of interest in some context, and, in that sense, tracing a CPD represents a limited form of simulation. However, the very fact that CPDs are organized with respect to goals of interest provides advantages in many simulation problems. In particular, when FR represents a class of devices (or a class of contexts and initial conditions), CPD and the hierarchical organization implicit in FR make possible efficient situation-specific and goal-directed simulation. Suppose that a device has a number of functions, each with different P r o v i d e d clauses, i.e., the different functions are invoked under different conditions. Note that a similar situation might prevail with respect to the components of the device, i.e., each of the components might have its own function, and each function might have its own distinct P r o v id e d clause(s). Let us also assume that FR is represented parametrically, i.e., the partial states and the various conditions in the CPDs include parameters corresponding to structural parameters that can be instantiated to specific versions of the device. Stricklen describes an algorithm that, in outline, works as follows: 1. Given the operating conditions and the parameters, the simulator
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
111
starts with top-level functions and identifies all the functions whose P r o v id e d clauses are satisfied. Any missing or altered functions can also initialize the simulation. If one function uses another function as part of one of its links, the calling function is included, but not the called function. 2. Using the specific parameters and the conditions, top-level CPDs of the functions that are chosen in Step 1 are instantiated. Note that this does not merely copy CPD. Some of the paths in CPD may not be taken because the conditions for the links are not satisfied, either because of the conditions in the P r o v i d e d clauses of functions that are called or because the functions are otherwise not available. Instantiation of CPD for the specific situation constitutes a Particularized State Diagram (PSD). 3. Any link in CPD with a B y - C P D or a B y - F u n c t i o n annotation can be expanded by accessing the referenced CPD or the CPD of the referenced function, and instantiating it by means of the values of the parameters and eliminating inapplicable paths. This now produces a PSD at another level of detail. The process can be continued to as great a degree of detail as necessary. As PSDs are built up, the values of the state variables are appropriately updated. Thus the simulation itself is available in a hierarchical fashion to many levels of detail, mirroring the functional decomposition of the device. Pegah et al. (1 993) describe the simulation of the fuel transport system of an F-18 aircraft using this technique. Sticklen et al. (1991) also describe the process of integrating qualitative and quantitative simulations in an FR framework. Basically, the transitions in CPD help the simulation system focus on the particular quantitative equations that are to be used in the actual computation (see also Sun and Sticklen (1990)). Toth (1993) has recently shown how FR may be used as an organizing principIe for intelligent simulation so that the computational effort in simulation can be allocated in response to goals. For example, in a structural engineering problem, we might be interested in knowing if the stress in some element is going to be more than the maximum allowed. Engineers reasoning about such problems typically combine quantitative and qualitative techniques. By using purely qualitative techniques, many could be ruled out, helping to zero in on a member with a high likelihood of excessive stress. Numerical techniques could then be used to make precise computation of the stress in restricted parts of the original structure. Toth shows how the CPD of devices may be organized to include pointers to both qualitative and quantitative methods of computing the state variables involved in causal transitions.
112
B. CHANDRASEKARAN
4.4.3 Diagnostic Reasoning Davis (1984), Fink and Lusth (1987), and Steels (1989) are among a number of authors who have used functional notions explicitly in diagnostic reasoning, though work in this vein does not include the relationship between functions and causal processes that our own work on FR elaborates. In the use of FR in diagnosis, the causal process description plays an important role.
Simple Use of FR in Diagnosis. The first application of FR was in diagnostic reasoning. In Sembugamoorthy and Chandrasekaran (1986) a diagnostic knowledge structure was compiled for an electronic buzzer from its FR. The diagnostic knowledge structure was a malfunction tree, with a set of diagnostic rules for each of the malfunctions. Sticklen (1987) used a similar idea, but in his problem the diagnostic knowledge structure was incomplete. He used FR to generate the diagnostic knowledge that was needed for a diagnostic situation. The distinction between the use of FR for generating a complete diagnostic knowledge structure in advance versus only fragments of diagnostic knowledge as needed for a problem instance could be described as a distinction between compilation and interpretation, but this distinction is not my focus here. The various issues in applying FR in diagnosis are explored in Chandrasekaran et al. (1989), Sticklen and Chandrasekaran (1989), Sticklen el al. (1989), Sticklen and Tufankji (1992) and Sticklen et al. (1993). The central idea for diagnosis can be summarized as follows. For simplicity, let us first consider a CPD in which each transition has only one annotation
n,
By-functionF-of-componentc
’ n2
Suppose the device is in partial state n, , i.e., the device is in a state that satisfies the predicates corresponding to n, . Suppose we test the device and observe that the device fails to reach n,. What conclusions can we draw? Because the CPD asserts that the device goes from partial state n, to n, because of the function Fof component c, we can hypothesize that the failure to reach n2 is due to the component c not delivering the function F. Corresponding to this transition we can identify one possible malfunction state “Component C not delivering function F.” The diagnostic rule, “device satisfies n, but not n,,” can be used to establish this malfunction mode of the device. If the annotation had, instead, been B y - C P D CPD-1, where CPD-1 is a specific CPD, we could similarly examine CPD-I to see why this transition failed (some transition in CPD-I will fail if the transition from n, to n2 failed). Ultimately, we can identify some function of some
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
113
component that would have to be responsible for the failure of the device to reach n,. There is no malfunction corresponding to a transition with the annotation By-Doma i n- La w; a domain law cannot fail to hold. Of course, the designer’s account of the role played by the domain law could be incorrect, but we are assuming here that the FR itself is correct. How to verify the FR itself is an interesting issue in its own right, but is not the subject of the current discussion. The technique of identifying a component malfunction either directly from the annotation B y - F u n c t io n or by recursive application of By C P D leads to a diagnostic tree that will have as tip nodes the malfunctions of components or subcomponents. The diagnostic rule for each malfunction will be composed of rules of the form, “If the predicates corresponding to node ni are true, but those corresponding to nj are not true, then establish the malfunction.” What happens when we have more than one annotation, e.g., as in Fig. 5 where the transition appeals to more than one function? In this example, the transition can fail because pipe2 is blocked, its thermal (heat exchange) function fails, or because the conditions in the qualifiers are not satisfied. In this case, the failure of the transition can only identify these as possible malfunctions, but cannot establish them. Additional information will be necessary. Not all diagnostic knowledge can be derived from design information alone. For example, rank ordering of diagnostic hypotheses in terms of likelihood and pursuing them in order of most to least probable is quite common in diagnostic reasoning. But this ordering requires knowledge of the probabilities of failure for the components. This information is not derivable from a causal model of how a device works. Additional information in the form of failure rates is needed. Conversely, not all diagnostic knowledge derived from causal models is directly usable, since some of the variables mentioned in the diagnostic rules generated from the causal models may not be directly observable. Additional inference may be required. For example, in medical diagnosis, from an FR of liver functions, one might derive the diagnostic rule, “If bile is generated in the liver but is not delivered to the duodenum, then establish ‘blockage of bile duct’.” However, “bile in the duodenum” is not directly observable. Additional reasoning about the consequences of bile in the duodenum, perhaps by using FRs of other physiological mechanisms, can result in observable tests that can then be used as diagnostic knowledge. DeJongh (1991) discusses the use of FR-like simulations of physiological mechanisms (like the “Prevent-agglutination” function of red blood cells) to verify abductive hypotheses in a blood typing system. His work is
114
B. CHANDRASEKARAN
significant in that both the compiled diagnostic problem solving as well as the causal simulation using FR is done in a uniform formalism of problem spaces in the Soar (Laird et al., 1987) framework. This enables him to use Soar’s chunking mechanism to transfer the results of causal simulation to the compiled diagnostic knowledge structure. Debugging proposed designs in design problem solving involves a form of diagnosis. Stroulia et al. (1992) discusses the use of FR in this task.
Debugging Computer Programs. Allemang (Allemang, 1990, 1991; and Allemang and Chandrasekaran, 1991) considered the problem of understanding how computer programs work. Computer programs have components just like physical devices, with modules at higher levels, and programming language statements at the lowest level. We can arrive at an understanding of how a program functions by building a process description. Because one of the basic principles behind FR is that the way in which a component achieves its functions is irrelevant to understanding its role in a device, in fact the component may be replaced by another that provides the same functionality, an FR actually does not represent a single device, but a class of devices that share the same functional breakdown. Allemang proposed that an FR in the programming domain would correspond to several programs, all sharing the same strategy. Proofs of correctness of these programs would share many features in common as well. In that sense FR can be viewed as an organization of the proofs of correctness of this class of programs. The partial states in the CPD of an FR correspond to intermediate formulas that appear in all the proofs. Typical examples of these states of computation include assertions about values of variables and loop invariants. In this section, I will use some examples from Allemang (1990) and Allemang and Chandrasekaran (1991) to illustrate FR of programs. See also Liver (1993) for application of FR to programs in the domain of telecommunications.
An Example of a Functional Representation of a Program. Consider the problem of moving the contents of each element of an array between indices k and n - 1 to the next higher position, that is, V i E [ k , n -11, a[i + 11 = #a[il (#a denotes the original values of the array a). At the end of the program, a[n] has the value that used to be at a[n - 11. Three possible solutions to this are shown in Fig. 9. The first solution iterates backwards over the relevant fragment of the array, moving the element with the highest index (n - 1) into place first, leaving room for the next-to-last element, and so on. The second solution attempts to move the element with least index (k) first, but is buggy, since this clobbers the
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
i ..-n-1 while i 2 k do a(i + 1) := a[i] j
end
.-i-1 .-
i
115
:= k
temp := a[E]
i := k
-
while i 5 1-do a[i + t] := a[i] i:=ifl end
while i 5 n
- 1 do
:= a[i + 1J + 1) := temp temp := save suve a[i
i:=i+l end
FIG. 9. Three solutions to the shift problem, including one incorrect solution (center). (From Allemang, D.. and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Based Software Engineering Conference, 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)
contents of the next array location. The final example is a corrected version of the second case, in which some auxiliary variables have been introduced to take care of the value clobbering problem. We have some knowledge about a large range of solutions to this assignment, including the three solutions given above. We know that the solutions must treat data in a conservative way, that is, data must not be overwritten. The solutions must move the data within one data structure, rather than construct a new one by iterating through the set, treating each element individually. How can we take advantage of such knowledge to help to recognize when the actual code is correct? We begin by representing them with the same FR. All three of these programs cover the set of relevant indices of the array with the index i ; for each element covered by i they move the current element up one place in the array. These two operations are coordinated by the overall structure of the loop. Notice that the programs differ in the choices they make for each of these functions; the first program counts down the set while the others count up; the first two simply move the value to the appropriate place in the array, while the third uses a more complex swapping solution. This suggests three devices in the functional representation; the index, the mover, and the loop. The role of the index in this problem is to cover the part of the array that is of interest. It does this by (1) starting somewhere in the set; (2) moving from one item in the set to another; and (3) checking when it has covered the entire set. This suggests three functions for the index variable. These, along with some samples of code that could support these functions, are shown in Fig. 10. Two options for the index are specified; one each for moving up and down the set. We will use the notation U(i) to refer to the part of [k...n - 11 visited so far by the index; for ascending index, V(i) = [k... i - 11, for descending index, V(i)= [i + 1 ... n - 11 (by convention, V(i)never contains i).
116
B. CHANDRASEKARAN
Device indet Function sfari IfT ToMake ?indet = u By e.g., ?indez := n - 1 ?indez := k Function nezt If ?indez =?z ToMake ?indez = v(?z) By e.g., ?indm :=?indez 1 ?indez :=?indez + 1 Function check If ?indez E [k..n 11 ToMake (?indez E U) By e.g., ?indez 2 k ?indez 5 n 1
-
-
-
FIG. 10. Functional representationfor the index. The actual starting point u and next-value function v differs for the two options (ascending and descending). For the ascending option, v(i) = i + I and u = k; for descending, v(i) = i - 1 and u = n - 1. (From Allemang, D., and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Based Software Engineering Conference. 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)
The role of the mover in this program is to guarantee that if the previously visited cells in the array have been moved correctly, then all the cells, including the current cell, have been moved correctly. It has one function to do this, which in Fig. 11 is called move. In the figure, r is the predicate on subsets of [k . n - 11 that asserts that all cells in a subset have been appropriately moved, and that no others have been moved. For use in a correctness proof, r is defined by
..
...n - ~ I \ s , a ~ =i#atii a[j + 11 = # a b ] Vj€S,
r(s)= v
j [k~
(1)
Because of the possibility of a mismatch between some choices that might be made for index (e.g., ascending) and this definition of the mover, it is not possible to justify the part of the proof corresponding to this function, i.e., (r(U(?ind~u)))a[?index + 1J := a[?index] {T(U(?index)))
(2)
before knowing the details of the actual program. Thus, in order for this FR to be consistent, it would be necessary to place (2) as the proviso for the function move. In Figure 11, a weaker proviso is employed that does not entail the consistency of the FR, but shows the capability of the system to use plausible explanations in place of actual proofs.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
117
Device mover Function moue If r ( u ( ? i n d e r ) )A (?indez E u ) ToMake I’(U(v(?indez)))A (empty a [ ? i n d e z ] ) By e.g., a[?indez + 11 := a[?indez] Provided (empty a [ ? i n d e z ] ) FIG. 1 1 . Functional representation of the move function of mover. Such a move requires that the left-hand side be empty, and provides that the right-hand side becomes empty. (From Allemang, D., and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Based Software Engineering Conference, 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)
Finally, the overall loop has the job of coordinating the functions of these two components. It is the loop that sequences the various checks and assignments from mover and index so that the overall task of moving the array fragment is done. A functional representation of the loop is shown in Fig. 12.
Debugging Using Device Understanding. Allemang also discussed the use of FR for program debugging. The debugger matches intentions to programs, and then resorts to a weak theorem prover only when the match cannot be completed. It uses provisos to simplify the job of the theorem prover as far as possible. When presented with the first program in Fig. 9, the debugger determines which choices of navigator and collector match the actual program. We omit the details of this unification process. Since the structure of the FR matches this program quite well, the loop invariant for this induction proof is already known, and the theorem prover only has to verify that the proviso (empty a [ i ] )is satisfied whenever the line a[i + 11 := a[i]is executed. So the debugger presents the following fragment of a proof Presuming that a[n] is empty, loop initialization tells us that i is n - 1. So, at the start of the loop, a[i + 11 is empty. From the previous iteration, the line a[i + 11 := a[i] tells us that a[i - 1 + 11 is empty. The line i := i - 1 tells us that a[i + 11 is empty. Thus, a[i + 11 is empty for the current iteration.
We will skip what the debugger does with the second program, and move to the third one, in which the programmer has introduced three novel lines and added two new variables to the problem. The debugger has no problem recognizing this as a correct program. It finds three lines in the body of the loop where it expected to find just the one line,
a[i + 11
:=
a[i].
First, it notices that the second of these three lines might be able to provide
118
6. CHANDRASEKARAN
Device shi/i loop Function induct
I f v j E [k..n - 1],ab] = lab] ToMake V j E [k..n- I], ab I] = Ila[j] By initialize-and-loop
+
Beliavior ini!ialize-and-loop:
Using Function couer of shifl loop
Function couer If r ( l r ( ? i n d e z ) ) h ? i n d e z =€ U ToMake r ( U ( ? i n d e r ) ) A ? i n d e t $tU By cycle Behavior cycle
// \ r(U ( ? i n d e + ) )
Using of Function indez nezf
Using Function of indez check
r(U(v(?indez)))
(?in&
E U)
Using Function moue of tnouer
FIG. 12. Complete functional representation of the shift loop. (From Allemang, D., and Chandrasekaran, B. (1991). “Functional representation and program debugging,” in Proc. Knowledge-Eased Software Engineering Conference, 1991, IEEE Computer Society Press, pp. 136-152. 0 1991, Institute of Electrical and Electronic Engineers. Reprinted with permission.)
the function expected by the missing line, provided that the variable temp contains the value that was expected on the right-hand side of the assignment, that is, #a[i]. This proviso is treated as any other, and the debugger traces back through the loop to generate the following proof: The line temp := a [ k ]tells us that temp contains #a[k]. The loop initialization tells us that i is k, so at the start of the loop, tempcontains a [ i ] ,
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
119
From the previous iteration, the line save := a[i + I ] tells us that save contains #a[i + I ] the line temp := save tells us that temp contains #a[i + I ] the line i := i + 1 tells us that temp contains #a[i]. Thus, temp contains #a[i]on the current iteration.
The separation of functions from the process description allows FR to act like a plan representation for programs (Johnson, 1986); the functions specify pre- and post-conditions. The links in CPD index other functions, based on their pre- and post-conditions, just as subgoals index other plans. Allemang goes on to argue how FR provides a way of combining the power of the plan-based representation and the traditional programming language semantics, defining what he calls a functional semantics that allows a debugger to consult a proof of correctness without having to deal with all the complexities of the traditional programming language semantics.
4.4.4 Device Libraries The FR framework leads to the prospect of technical domain libraries of generic devices. Device classes at different levels of system description would be represented along with parametrized structural representation and the corresponding CPDs. Specific device representations can be constructed by choosing, instantiating, and composing elements from the library. In most cases, the FR for a device would simply be an instantiation of an abstract generic device, but in cases where the design is novel, new CPDs could be composed. This device can be abstracted to a generic device and made available for future use. DeJongh (1991) represents classes of devices by parametrized FR descriptions, where specific devices inherit the causal structure though the variables assume the values for the particular device. Pegah el al. (1993) report on the use of device libraries for constructing representations. Toth (1993) outlines the construction of such libraries in an object-oriented framework, and uses such libraries extensively in her work on simulation. Josephson (1993) reports on the use of abstract data types as the basis for building such device libraries. The Kritik system of Goel (1993b) uses a library of about 25 designs for case-based design.
4.4.5 Uses in Design There are a number of design subtasks for which the FR framework is useful (see Chandrasekaran, 1990, for a description of the task structure of design, Goel and Chandrasekaran, 1992 for a more detailed task analysis of case-based design, and Freeman and Newell, 1971, for an early discussion
120
B. CHANDRASEKARAN
of the role of functional reasoning in design). Iwasaki et al. (1993) describe a design framework in which again FR plays an important role. Chandrasekaran et al. (1993) discuss the use of FR for representing causal aspects of a design rationale, i.e., explanations of design choices. Levi et a/. (1993) discuss how FR helps in bridging the processes of planning, execution, and device implementation in planning systems. In this section, we discuss the use of FR in case-based design and in design verification.
Redesign. The need to redesign can come about in a number of ways. For one thing, it is a subtask of the technique of case-based design. In this technique, when a new design problem comes along, a search is made in memory for problems similar to the current one, the “closest” such problem is retrieved, and the design solution for that problem is redesigned, i.e., modified to fit current needs. Redesign can also occur when the use environment has changed and it is desired to modify a device so as to deliver slightly different functions. In either case, the goal in the task of redesign is to modify the artifact so that it meets somewhat different functions. If the required changes in function are drastic, then, perhaps, equally drastic structural alterations will be needed, possibly requiring another design from scratch. However, if the needed changes are slight, redesign can be accomplished by relatively simple modifications to the existing structure, perhaps by parametric changes to the components and substances. In this section, we examine the role of FR in the redesign problem, assuming that the required changes are parametric changes to the components. Redesign has three subtasks: identifying the substructure that requires modification, identifying the modifications that need to be made, and verifying that the changes, in fact, produce the desired changes in function. Taking the last two subtasks first, deciding on the appropriate modifications requires knowledge outside the FR for the device. Perhaps a design library containing FRs of a number of functional assemblies could help. If it is decided that a component or a subsystem of the previous design needs to be changed to reflect a different functionality, an appropriate solution from the library may be available. Regarding verification, Sticklen’s use of FR for parametric simulation (Pegah eta). 1993) is relevant here. As we discussed in the earlier section on parametric simulation, Sticklen shows how FR can be viewed as a form of compiled simulation, and suggests ways in which FR can incorporate information about the behavior of the device over ranges of component parameters. With this information, it is a straightforward process to derive device behavior whenever the component parameters are changed. Let me now get back to the first subtask, viz., identifying the substructures or components that need modification. Use of FR for retrieval and case analysis was first discussed in Goel and Chandrasekaran (1989), and Goel
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
121
developed the idea in detail in his thesis (Goel, 1989; see also Goel, 1992) where he described Kritik, a system that performs a form of case-based design in the NAC domain. I will describe how Kritik uses FR for case retrieval and analysis. Suppose we wish to modify NAC in order to cool high-acidity sulfuric acid instead of the low-acidity nitric acid. Kritik first compares the desired functions and those actually delivered by the candidate design (NAC). It notes that they differ in (i) the substance to be cooled (su,furic acid instead of nitric acid) and (ii) a property of the substance (high-acidity instead of low-acidity). Since the substance property difference occurs in the function cool (low-acidity) nitric acid, Kritik uses this function to access the CPD responsible for it. A fragment of this CPD, the transition from state2 to state3, is shown in Fig. 5 . Kritik traces through this CPD, checking each state transition in it to determine whether the goal of reducing the substance property difference (low-acidity -+ high-acidity) can be achieved by modifying some element in the transition. For example, in the transition state2 -,s t a t d , it finds that pipe2 has an allow function but it is restricted to low-acidity substances. Kritik has a typology of modifications to device components: (i) the parameters of a component can be “tweaked,” (ii) the modality of operation of a component can be changed, and (iii) one component can be replaced by another component. It correspondingly generates the following modification hypotheses: (i) pipe2 can allow the flow of high-acidity substances in a different parameter setting, (ii) pipe2 can allow the flow of high-acidity substances in a different mode of operation, and (iii) pipe2 has to be replaced with some new-pipe2 that allows the flow of high-acidity substances. How the choice of modification is made is not directly related to functional representation, so we omit a discussion of that issue. The replacement of nitric acid with sulfuric acid is straightforward as is the similar modification needed to handle the difference in functional specification. (See Goel (199la) for additional discussion of case adaptation.) While Kritik is limited to “local” changes in a design, new members in the Kritik family of systems go beyond this restriction. Stroulia and Goel (1992), for example, show how FR-like representations of generic mechanisms such as cascading can help make certain kinds of nonlocal modifications to a design. Suppose, for example, a designer wished to create a device that will be able to cool nitric acid by a much larger range than the device illustrated in Fig. 2. Suppose also that, in addition to the design shown in Fig. 2, the designer knows of the generic mechanism of cascading-replication of a device structure to achieve a larger function. Stroulia and Goel show how the cascading mechanism can be represented in the FR language and applied to replicate the water pump in Fig. 2 to cool nitric acid by a larger range.
122
8. CHANDRASEKARAN
Note that the cascading mechanism is not only device-independent but also domain-independent. Bhatta and Goel (1993) have studied how cascading can be learned from the design of one type of device such as a nitric acid cooler, and applied to design another type of device, such as an electrical circuit. In their work, the FR of the first device, the nitric acid cooler, guides both the learning of generic mechanisms such as cascading, and the transfer of this knowledge across devices and domains.
Design Verification. Let us consider a designer who has just completed a design, i.e., she has put together a description that specifies what components to use in the design and how they are to be connected. Unless the design was done by a very simple process such as table look-up, the designer is likely to have her own explanation of why she thinks the design would work. In our framework, having such an explanation corresponds to possessing a causal story of how the device as designed will meet the functions. The intended behavior of the device as described in the CPD can be verified by simulating the device behavior based on the component descriptions. As we discussed earlier, there are two problems in using component behavioral specifications for device simulation. First, there is a possible gap in the levels of abstractions between the device-level behaviors we are interested in verifying, and the component-level behavioral descriptions. For example, the language in which the behavior of transistors and resistors is described is that of currents and voltages, but a circuit as a whole might be described functionally as an oscillator or as an adder. We could add a number of abstraction rules, but the simulation needs guidance as to which abstraction rules to apply and when. Second, the component models may describe aspects of behavior that may not be relevant for the device-level behaviors of interest. Without guidance from the device-level functional description, the simulation may become quite complex and unwieldy, generating behaviors that do not contribute to design verification. For example, understood as a component, apipe may have two sets of behavioral descriptions, the first based on its capability to support flow and the second based on its thermal properties. If the device function is concerned solely with flow, we would want to use this information to avoid having to deal with the behavior composition of thermal properties. The CPD can be used as follows in the design verification task (Iwasaki and Chandrasekaran, 1992). The predicates that appear in the definition of the nodes in the CPD and the functional predicate, say PF,are the terms that are of interest at the device-level. We first need to define these predicates in terms of the objects and predicates that occur in the definition of components. For example, suppose that the predicate Amp Ii f i c a t i onL e v e 1 occurs in the description of a node in a CPD, and that the component
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
123
behaviors are in terms of voltages and currents. We first define the predicate in terms of the voltages at the input and output of the relevant components. Once a correspondence has been established between the device- and component-level terms, we need to establish that the partial states corresponding to the CPD nodes occur in the device, and that the transition occurs for the reasons mentioned in the annotation. If the annotation said, “ B y - F u n c t i o n F o f c o m p o n e n t c,” we would want to verify that the component did play the indicated causal role in the transition. We thus have the designer’s CPD and the structural description. We can generate a description of device behavior from a description of the component behaviors using a simulator that composes the behaviors of the components in the structural description. A number of component description and simulation systems have been described in the A1 literature, e.g., Fikes et al. (1991) and Low and Iwasaki (1993). However, as mentioned earlier, this behavioral description will be in component terms. We can then verify that the CPD is supported by this simulated behavioral description, i.e., that the predicates mentioned in the CPD occur in the behavior and in the appropriate causal and temporal relationship. One can imagine using the simulator in two modes. In one, the simulator is run first and the entire set of state variable values for all relevant discrete instants of time, S,(X, ,..., x j , . . x N J ,
t
=
1,2,
...,..T,
where S, is the state vector at time t and xj is the j-th state variable, is generated. (The state vector is simply the set of all the state variables that describe all the components in the device.) This description is a trajectory of the behavior of the device. Once this simulation is available, we can proceed to establish that the CPD is satisfied by the simulation. A second mode is one in which the simulation itself is guided by the CPD. That is, we first verify the initial conditions of the FR are satisfied by the initial values of the state vector. The first transition of the CPD is then used to drive the simulator in relevant directions, i.e., to compute the values of the relevant state variables needed to establish the next node in the CPD and the transition. Once these are verified, the simulation can be guided by what is needed to establish the next node in the CPD, and so on. In order to perform this kind of guided simulation, we need to have component-level simulation techniques that can be used in selected directions. The development of these techniques is one area that is in need of research. The work reported in Iwasaki and Chandrasekaran (1992) uses component simulation in the first mode to verify the CPD. Let us suppose that the
124
B. CHANDRASEKARAN
trajectory of behavior has been generated by the simulator, and that we are looking at a transition from node ni to node nj in the CPD. Verifying that the two nodes are satisfied by the trajectory means showing that there are instants k and I, k 5 I, such that nj is true in state Sk and nj is true in state S,. To prove this, we will resort to the predicates used in the definition of the nodes in the CPD and the abstractions defined between the variables that occur in these predicates and the component-level variables in the trajectory. Even if we have verified that the device (in simulation) has gone from node n, to n2, we still can’t claim that the transition in the CPD has been verified. We still need to show that the transition was realized as a result of, or was caused by, the reason mentioned in the annotation. For example, suppose that the annotation is B y - F u n c t ion F o f t h e component c. If component c had no role to play in the transition, it is possible that it was not needed, and, in any case, the designer’s account of why the device worked would be incorrect. How to decide if one event causes another is a contentious philosophical issue, but the following weak criterion is sufficient for most purposes: p i causes pi if p i had anything to do with eventually bringing about p i , where pi and p j are predicates in nodes ni and nj,j > i. In Iwasaki and Chandrasekaran (1992) techniques of causal ordering-originally presented in Iwasaki and Simon (1986)- are used to show this kind of relationship between piand p i . Showing that the function of a component causes some aspect of astate to be true requires careful use of the function-type semantics. A slightly different kind of design verification task occurs in the context of incremental modification of a design. Suppose that a designer designs a new device for achieving a desired function F2 by “tweaking” the design of a known device that delivers a function F1 very similar to F2. The designer may now want to verify whether the proposed design for the new device will result in the desired functionality F2. Note that the designer already knows that the old design results in F1. If the designer has access to the FR of the old design, he may modify the FR to reflect the design tweak, and then simulate the revised FR by forward tracing to determine whether the proposed design will deliver the desired function F2. Kritik (Goel, 1989), which designs new devices in this manner, uses this method to verify whether a proposed design tweak helps in achieving a desired function.
4.4.6 Representing Problem Solvers as Devices I earlier described Allemang’s work in representing computer programs in the FR framework and using it to reason about errors. An A1 problemsolving program is, of course, a specific type of computer program, and thus has a device-like representation. Weintraub (1991), Johnson (1993),
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
125
and Stroulia and Goel (1993) have built systems that use the FR of the problem solvers as a basis for critiquing problem-solving behavior. Weintraub’s system uses this critiquing for credit assignment (actually blame assignment) in learning. Johnson uses it as the basis for student monitoring in a tutorial system for problem solving. Stroulia and Goel use it for self-monitoring, credit assignment, and self-adaptation in the context of a planning system. In all these cases the FR is used as an abstract representation of the strategy of the problem solver, i.e., the goal-subgoal structure of the problem-solving method. Because the problem solvers involved in all these cases use goals and subgoals explicitly during problem solving, the organization of the problem solver has the same function-subfunction decomposition as in the case of devices. In Weintraub’s work, the transitions of the CPD represent the execution of the method’s subtasks. Associated with each transition is a set of error candidate rules. If the problem-solving system that is being critiqued fails to make a transition or makes it with erroneous parameters, the credit assignment system uses these rules to make hypotheses about the sources of error in the problem solver. The FR thus provides an abstract road map of the strategy for the critic. Johnson uses the FR of the problem solver in a similar way to monitor a student’s problem-solving behavior. Stroulia and Goel use the FR for selfmonitoring by a planning system, to generate hypotheses about the causes of error when the planner either fails to produce a plan or the plan fails upon execution, and to modify the planner using generic repair plans. There are some interesting differences between the FRs used by Weintraub, Johnson, and Stroulia and Goel in representing problem solvers. Weintraub uses CPDs in the way we have so far used them for devices and programs: the method is a state transition diagram in which the nodes are partial states at the appropriate level of description. On the other hand, Johnson wants to model problem-solving methods whose behaviors are not completely specified in detail beforehand. Her problem solver is built in the Soar framework (Laird et al. 1987). In this framework a method is specified abstractly as a set of subgoals and some type of “search-control” knowledge, and out of this information an actual search strategy emerges at runtime in response to the specifics of the problem situation. This kind of flexibility is not normally part of ordinary devices and programs, and hence their FRs have their CPDs completely specified in advance. On the other hand, the goal of the Soar framework is to build flexible problem solvers, i.e., problem solvers that are not committed to a fixed procedure to achieve a goal. Only a high-level strategy is specified and the detailed behavior is determined at run-time. Johnson represents CPDs solely by their subgoals together with some general knowledge of the constraints on sequencing them. The following example illustrates this situation.
126
B. CHANDRASEKARAN
The specification in Fig. 13 says that Goal B can be achieved by either of the two methods B1 or B2. Method B1 has two subgoals to be achieved in a specified order, while method B2’s subgoals can be achieved in any order depending upon the circumstances. In the case of B2, this abstract representation actually corresponds to six distinct sequences and, hence, is a more compact representation. Stroulia and Goel’s Autognostic system (Stroulia and Goel, 1993), uses FR to describe the reasoning process of a robot planner. Autognostic uses the FR model to monitor the planner’s problem solving in a manner similar to Johnson’s. If the planner fails to produce a plan or if the plan it does produce fails upon execution, then, as in Weintraub’s work, Autognostic uses the FR model of the planner to assign blame and generate hypotheses as to the causes of failure. The process of blame assignment, however, is different. In Weintraub’s work, transitions in the CPD are annotated by associative rules that indicate the likely sources of error. In contrast, Autognostic uses the derivational trace of problem solving in conjunction with the FR model to identify the sources of error. A major aspect of this work is the redesign of the robot planner after the causes of failure have been identified. The FR model provides a vocabulary for indexing repair plans that correspond to different types of failure causes. In addition, the semantics of the FR model enable a modification of the planner in a manner that maintains the consistency of problem solving.
4.4.7 Representation of Scientific Theories Darden (Darden, 1990, 1991, 1992; Moberg and Josephson, 1990) has used FR to represent scientific theories and to capture certain aspects of theory change in science. FR is a natural medium for the representation of theories, especially in domains such as biology and geology where the objects of study are causal processes. Debugging a theory is akin to debugging a mechanism. Function: To-achieve B
Method B1:
I f : Desired R-B
Goals: F. G
By: Method B 1 or Method 82
Control: F precedes G Method 82 Goals: H, I. J Control: No prior constrainls
FIG. 13. Goals, multiple methods, and method selection information.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
4.5
127
Generating FRs for New Devices
In all of our discussion so far, we have assumed that the designer or someone else has constructed an FR for the device that is being reasoned about. For diagnosis and simulation, the FR is assumed to be given, and the reasoning mechanisms produce diagnostic knowledge or a simulation of the device. For design verification, the component-level simulation mechanism produces a simulation of all the state variables at the component level, but the FR as proposed by the designer is matched to the simulation to see if the CPD in FR is supported by the generated behavior. Human experts, however, are often able to construct functional representations of devices they have not seen before in their domains of expertise. For example, if a circuit is shown to an electronic specialist, she might, after some hypothesismaking and verification, identify the circuit as, say, an amplifier and proceed to explain what components play what role and how she thinks it works as an amplifier. I remarked earlier that, given a structure, i.e., a set of components connected in some way, the FR of the device as a whole is determined partly by considerations that are outside the device itself. The levels of abstractions of device-level variables, i.e., the terms of description, are determined both by the problem-solving goals and by what can be supported by the componentlevel descriptions. Given a circuit with two resistors in parallel, a possible device-level hypothesis is that one of the resistances is providing a current shunt, and an FR that focuses on that aspect can be constructed. Two loads in parallel is another possibility, and an FR that reflects that situation is also possible. If the goal is to construct an FR as intended by the designer, some form of “best explanation” reasoning may, in general, be necessary. That is, a form of abductive reasoning is employed in which, using a number of cues, a hypothesis is drawn regarding the intended function of the device and a corresponding FR is constructed. One approach to constructing an FR for a device is to adapt the FR of a similar device, if such information is available in memory. The Kritik system of Goel (1991b) explores this method. Prabhakar and Goel (1992) investigate how the process of adapting the FR of a known device to obtain the FR of a new device can be facilitated by FR-like representations of generic physical processes and mechanisms. For the more general version of the problem of constructing FRs for novel devices, Thadani and Chandrasekaran (1993) propose a set of techniques, and Thadani (1993) has built a system that does this in the domain of passive electrical circuits. A central idea is that expertise in domains partly consists of structure-function-CPD templates at various levels of description. These templates consist of structural skeletons, functions that they
128
B. CHANDRASEKARAN
can help achieve, and an abstract CPD that describes how the structural skeleton might achieve that function. Such phrases as “skeleton,” “template” and “abstract” are intended to indicate that the templates and the CPDs may refer to classes of objects and behaviors, and also may not have all the details filled in. They may simply be organized fragments of knowledge of the domain, fragments embodying pieces of understanding about structural configurations and their relations to various functions. As a new physical situation is presented, the reasoning proceeds as follows. Templates from memory are matched to the description. All the templates that match parts or the whole of the device are retrieved and ranked according to the degree of match. Templates that have the highest degree of match are considered first. The templates are instantiated with as much detailed information from the device as available. Instantiated CPDs may suggest additional hypotheses as to the possible roles of other structural parts. These hypotheses may be partially or completely verified by checking the conditions associated with the selected CPDs. The hypotheses may also be verified by simulating the CPD with instantiated parameters, but the current implementation does not use any simulation. In this process, additional hypotheses might be generated about the possible role of other structural parts. To use an example, let us suppose that the original structural description of a circuit is in terms of resistors and voltage sources. Suppose that as a result of template matching and additional verification, portions are labeled as voltage dividers and current shunts. The hypothesis of a shunt might be accepted or rejected based on typical values of the resistors in the shunt and whether the resistors in the device satisfy the typical relation. In another example, the CPD for a hypothesized template might have a transition based on some function of a component. We can now check to see if there is structural evidence of the component. If there is, that component structure is so labeled. If there is no evidence, the template is rejected as inapplicable, along with the corresponding hypothesis as to the structural fragment. The surviving CPDs are used to generate hypotheses as to the balance of the device. If the predictions are confirmed, that part of the device is labeled with the function from the template. When the cycle of identifications and verifications is concluded, we may have a set of alternate hypotheses for parts of the device. Each consistent set of interpretations produces different labeling of the parts of the structure. Relabeling for a specific interpretation changes the structural description, raising the level of abstraction at which the structure is described. There will be such a relabeling for each of the alternative set of interpretations. This relabeling enables a new round of matchings to be activated, and a new set of structure-function templates to be retrieved. Because of the
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
129
constraints that arise with each such hypothesis, a number of earlier alternatives would typically not survive, but perhaps other alternatives at this higher level might be constructed. In any case, this process is repeated at each level. From the level of resistors and transistors, configurations at the level of voltage dividers and amplifiers may be hypothesized. At the next level of reasoning, the higher-level structural description might enable the reasoner to identify higher-level functional units, aided by templates in the knowledge base that relate structures at this level to higher-level functional units. Each stage prunes away some of the hypotheses from the previous levels, and might add a few hypotheses, but, in general, with a sufficient body of domain knowledge in the form of templates and their constraints, the number of possible interpretations contracts to a small number of highly plausible and consistent ones. This picture of top-down recognition alternating with bottom-up hypothesis verification is one which, I think, models our general reasoning about the behavior of the physical world. In this view, we are armed with a large library of skeletal FRs that relate behaviors, structural constraints, and CPDs at various levels of abstraction in a given domain. Our knowledge of the world is, as I said at the beginning of the paper, in the form of such causal packages. Use of a large repertoire of FRs, spanning multiple levels of abstraction and goals, gives the agent the capability for highly goal-directed and efficient simulation of just the relevant parts of the world for predicting behavior.
4.6 Generalization to Nondynamic Causal Structures Most of the devices that we have considered so far in the paper are what one might call “dynamic” devices, i.e., devices whose function is defined in terms of the states and state transitions of the device. The device has an initial state and undergoes a causal process of state changes and reaches states in which the functional specification is satisfied. The exception was our discussion of passive devices that achieve their functions simply by virtue of their structure. We used the example of a flower arrangement serving the function of decoration. Here the notion of causation involves the device’s causal effect on the human agents who happen to be the occupants of the room. As I discussed earlier, presumably one could give a causal process account of how the flower arrangement actually ends up creating a sense of beauty in the perceivers. However, for many such devices, we develop direct mappings from structure to function without involving the causal processes in the user. In any case, the flower arrangement does not itself undergo a causal process. Another example of a passive function is the structural frame that gives
130
6.CHANDRASEKARAN
strength to a structure by distributing loads between its members. Suppose we want to explain how such a structure is able to support a heavy load. Engineers often give a causal account that goes something like: “This member divides the load and transmits each half to these two members, and because of the thickness of the beam, the stress is pretty small.” This is a causal account, and the phenomena involved are intrinsic to the frame, unlike the case in the flower arrangement example. But the account is not a description of a dynamic causal process, i.e., the frame is not described as undergoing state changes over time in order to explain its ability to support the load. Nevertheless, the explanation by the engineer has the syntactic form of a CPD: something in the device causes something else in the device until the function we are interested in (in this case, a relatively low value of the stress) is shown to be caused, thus explaining the function. Each of the transitions between causes and effects in the explanation can be further explained in the way we described for CPDs: by appeals to functions of substructures, other such “CPDs,” or domain laws. For representation and reasoning, the CPDs play the same role as they do in the case of devices with dynamic state transitions. Toth (1993), in fact, constructs FRs and CPDs for mechanical structures and uses them to simulate their properties. There are examples that are not even causal in the way that the structural frame example is, but nevertheless a CPD-like explanation of why it works can be given, and such explanations can be used for predictive problem solving. When we understand the proof of a theorem, we create subproofs that prove various lemmas. We talk about how the assumptions lead to certain conclusions that lead to other conclusions. In the process of explaining how certain conclusions lead to other conclusions, we may appeal to lemmas, (which serve the role of functions of components) or to inference rules of logic (domain laws) or to other proofs (other CPDs). Thus, it appears that the structure of FRs and CPDs captures a general logic of comprehension and explanation, with causal explanations being a special case. Both in the case of the structural frame and in the case of the mathematical proof, the explanation itself has the structure of a process: things are explained one after another, one causing another or one implying another, though, of course, there is no such sequentiality in the phenomena themselves. In the case of the structural frame, all of the stresses and strains are simultaneously in balance, even though the causal account has an inevitably sequential character. In the case of the proof, all the truths about a mathematical domain are eternally true: one conclusion doesn’t cause another conclusion, let alone in a sequential way. So where do the sequentiality of explanations and their formal similarity to causal processes come from in these cases? The answer is that these are
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
131
descriptions that are generated or used by cognitive agents with a highly sequential deliberative architecture. When we reason about the world, we move from conclusion to conclusion (or hypothesis to hypothesis). The knowledge state of the agent changes as the agent traverses the knowledge space in this manner. In the case of a real world phenomenon with an intrinsic causal process, there is often a mapping from the knowledge state of the agent to the causal state of interest. When one state changes into another in a device, the agent’s knowledge state, as he traces this state transition, changes in a similar way. This ability to make the sequence of knowledge state transitions mirror the causal structure of the world is, in fact, one of the major sources of the power of thinking in dealing with the world, as Craik pointed out in 1943 (Craik, 1967, is a reprint, with a postscript, of the 1943 edition). The power of goal-directed explanation is not restricted to dynamic causal phenomena, as the examples of the structural frame and mathematical proofs indicate. What the explanations capture is an organization of dependency relations in the domain of interest that helps in arriving at conclusions of interest. Causal state change relations are just one form of such dependency relations.
5 . Related Work There has been quite a bit of work in A1 and related areas in trying to understand the relation between the function and structure of devices. The following is a representative but by no means exhaustive selection of such articles in the bibliography: Brajnik elal. (1991), Chittaro et al.(1993), Gero et al.(1992), Hunt and Price (1993), Jordan (1991), Kaindl (1993), Lind (I 990), Navinchandra and Sycara (1989), Malin and Leifker (1991), Umeda et al. (1990), and Welch and Dixon (1992). These authors all build on the intuition that functions are made possible by behaviors and that the properties of components (in the structure of the device) make the behaviors “happen.” Our work is characterized by an emphasis on the representation of the causal processes that underlie the functioning of a device. We also emphasize such issues as levels of abstraction, the integration of the functional and process description into device-specific packages, and the formal representation, and use in a variety of problem-solving tasks, of explanatory annotations. Work like that of Jordan (1991) and Stadlbauer (1991) emphasizes the relationship between shape and function, an issue that we have not been concerned with much in this paper, though, of course, it is an important one. We have also earlier related our work to that of Hodges (1992) by pointing out his attempt to come up with a set of mechanical function
132
B. CHANDRASEKARAN
primitives. One can think of his work as a content theory of function in a shape-based mechanical design domain where shapes play a role in the transfer of force and motion. Abu Hanna et al. (1991) discuss how a functional model is not sufficient for diagnosis and point out that additional information is needed, an observation we also make in our work on diagnostic systems based on functional models (Sembugamoorthy and Chandrasekaran, 1986). Hunt and Price also make points similar to those of Abu Hanna et al., about the need in diagnosis for knowledge beyond a purely functional level. Their device representation uses ideas for the representation of function and structure similar to those we have proposed, but does not have a causal process description. They make the point that the CPD of FR could describe a system’s working incorrectly (after all, it is a theory of how the device works composed by the designer or the diagnostician) and, hence, may lead to incorrect diagnosis, and so prefer to use component descriptions for simulating device behavior. The problems that we have identified regarding levels of abstraction in the description could arise and additional inferences from component-level behavioral descriptions might be needed. An approach based on integrating the FR representation in order to focus diagnostic problem solving, and component-level behavior simulation to derive new behaviors that are not explicitly mentioned in the CPDs can be profitable. In fact, the work that we describe on design verification shows how the FR view and the component simulation view can be integrated. Bonnet (1991, 1992), Franke (1991), and Bradshaw and Young (1991) are closest to the kinds of concerns that we have been dealing with in this paper. Bonnet’s work is actually built on FR and he makes additional representational suggestions, including representations for what we have called passive functions. Franke focuses on representing the purpose of a design modification and not that of the device itself. As in the work of Iwasaki and Chandrasekaran (1992) on design verification, Franke also matches the description of changes in function against a qualitative simulation of behavior changes from component descriptions. Bradshaw and Young represent the intended function in a manner quite similar to FR. The most important difference between the FR work and that of Bradshaw and Young and also that of Franke is the central role that causal process descriptions play in explaining how a function is achieved. Verification of device design involves not only checking that the function is achieved, but also that ‘the device structure played a causal role in the achievement of the function. Borchardt (1993) and Doyle (1988) are also relevant though their specific concerns are rather different from ours. Borchardt wishes to understand how to go from natural language descriptions of causal processes to more
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
133
precise and complete representations of the details of the process. Doyle’s approach consists of a set of device models for individual physical mechanisms. His program uses a collection of heuristics for synthesizing a device model, from the mechanism descriptions. The hypothesized model is checked by verifying that the appropriate constraints are satisfied. Doyle’s specific mechanism representations employ constraints between variables, while FR additionally emphasizes representation of causal processes. Except for this difference, the work of Thadani and Chandrasekaran described in the paper on constructing device-level FRs has similarities to Doyle’s work.
6. Concluding Remarks We have reviewed over a decade of work on device understanding from a functional perspective. It should be clear from the review that research on causal and functional representations is just beginning. It might be useful to describe a research agenda for the immediate future. We take this up in the next subsection.
6.1 A Research Agenda The specific representational elements and organizing principles in the language developed so far have been applied to relatively simple devices and processes. The framework needs to be exercised and expanded by applying it to a larger variety of phenomena and devices. Following is a list of extensions on which work is either being done or needs to be done in the near future. It is likely that many of these problems and issues can be handled within the current ontology, though assuredly some of these will require additional representational and organizational ideas. i. Functions that arise largely from shape. Suppose we wish to explain how a gear train works. We certainly can give a CPD whose nodes are simply symbolic predicates such as “tooth A exerts force on tooth B.” In fact, the work by Hodges (1992) can be viewed as a catalog of the kinds of influences in force transfer that physical shapes have on each other. However, in the human understanding of this function the shapes of the teeth and the way they mesh together in transmitting the force play an important role. It is important to extend state representations to include components that are shapes, rather than high-level predicates about the effects of shapes. The transitions from shapes to shapes may require appeal to visual or spatial simulation.
134
6.CHANDRASEKARAN
ii. Function-sharing. Clever designs often have components that are used differently to achieve different functions (Ulrich and Seering, 1988). It is true that we can write an FR for each function, but an integrated view of the role of the component would be missing in such a representation. This brings up a more general problem in FR, where, for each explicitly defined function, we can write a CPD that captures how it is accomplished. We also need a higher-level integrative perspective in which these individual functions are seen to be part of a larger function that exhibits a unitary representation. iii. Representation of mutually dependent functions. Suppose, for example, that the car battery system requires that the engine be running regularly in order to keep the battery charged, while running the engine requires that the battery system is functioning normally. We need more experience with FRs that deal with such dependencies. iv. Abstract or generic devices. Part of engineering expertise involves knowledge of device frameworks, not simply specific devices. Examples are electrical circuits, voltage dividers, regulators, and feedback loops. These frameworks can be instantiated in different ways, but we underestand how they work at an abstract level without the instantiation. Building device libraries requires representational and instantiation techniques to be developed for such abstract devices. v. Representation of functions that arise from a large number of individual elements. The interactions of bacteria and white cells can be individually represented (Sticklen, 1987), but, given that there are millions of these entities, it is impossible to reason about them on an individual basis. Gross behavior has to be explained as arising from the behavior of numerous elements without a need to individually representing each of the elements. vi. Problem-specific FR construction. We have been talking as if there is a fixed, possibly parametrized, FR for each device-or at least for each functional perspective-which we retrieve from memory and apply as needed for specific tasks. However, it appears to me that, even for devices that we thoroughly understand, we construct versions of FR that are appropriate for the particular problem-solving task that we face. For example, depending upon what aspects we expect to be reasoning about, we may impose qualitative conditions on state transitions, or we may represent them with a high degree of numerical accuracy. We may explain how a lamp’s filament produces light by appealing to an equation that relates current to lumens, or we may appeal to a CPD that uses the properties of the filament. Further, for each transition in a CPD, we usually include only certain conditions, i.e., those that we think are worth mentioning explicitly, though we may also be aware of a number of background assumptions that
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
135
are not stated explicitly. For example, if we are explaining that “liquid input at the top of a sloping pipe” causes “liquid to emerge at the other end,” we may annotate it in any number of ways depending upon the tasks that we expect to use the pipe for: B y - F u n c t i o n (conduit) of pipe is one such annotation. But we also assume that the liquid doesn’t evaporate in the meantime, that the pipe’s surface is not too absorbent in relation to the amount of liquid, and so on and so forth. These assumptions are not stated explicitly, but are available to us when we need to think of them for debugging a faulty pipe. This kind of goal-driven construction of the FR is a capability that is important to understand. vii. Need for formalizing different senses of ports. We have mostly discussed devices that are constructed by composing components. The components are, in turn, devices as well, i.e., they have functions that can be analyzed in a way similar to the functions of the device which they are part of. In addition, the devices are modeled as having input ports and output ports. Ports serve two distinct roles that are often conflated. In one role input ports are the places where actions performed by the user invoke the function of the device, while output ports are the places where the device delivers the function. For example, we put fruits into the mouth of the juicer and out comes the juice. Or, we input a low-amplitude signal at the input of an amplifier and out comes the amplified signal. There is also another role for the ports, and that is as the locus of connection to other devices for the purpose of creating additional devices. We can cascade two amplifiers-connecting the output of the first amplifier to the input of the second amplifier-to produce an amplifier of higher amplification factor. In many devices it happens that the “input-output” and “locus-ofconnection” roles go together naturally. However, this, in general, is not the case. For example, when we build a lamp circuit by connecting a bulb with a voltage source and a switch, the input port for invocation of the function is the switch, and the output port is not electrical at all, but spatial, i.e., the immediate region around the bulb. On the other hand, the device as a whole is composed of parts (switch, battery, bulb) that are connected together at various connection ports. These parts are themselves not devices, i.e., they cannot be defined independent of the circuit as possessing a behavior, let alone a function, unlike the individual amplifiers in the cascaded amplifier example. In the case of the cascaded amplifier, we can trace the behavior of the device by tracing the flow of some entity-in this case, the signal-from the input to the output of each component. In the case of the circuit, however, we do not explain the function by starting from the positive terminal of the battery and tracing the flow of electricity through each of the resistors and connecting wires. If there is a break in the
136
B. CHANDRASEKARAN
circuit, we don’t say, “. ., electricity starts at the positive terminal, moves across the two resistors, and then, oops, it can’t go any further because of the break.” The reason we don’t do this is that electricity is not modeled as flowing unless the circuit is complete. Once it is complete, we can model current as flowing through each of the parts. The interpretation of component ports as places for connections to produce a device is separated from their interpretation as places for delivering or invoking functions. In the case of the lamp circuit, the circuit as a whole can be composed with other components to make a new device. For example, the light from the lamp circuit may be detected by a photodiode in another circuit that might activate a switch. In this case, the input-output for the lamp circuit, viewed as a signal flow, would be the switch and the region around the bulb. The locus of connection is the region around the bulb as well, since the photodiode is positioned there. The output of the device as a whole is the output of the diode circuit, within which presumably a switch is activated. On the other hand, each of the circuits have components and loci of connections that are quite different from the ports in the signal flow perspective. We need to formalize the representation of components, ports, and devices so that the more general sense of devices is captured, or at least the formalization supports the distinctions that I have just described. viii. Functions that involve time. We have discussed examples where the predicates have to satisfy certain time relations, such as the To-Ma in t a in function, which is defined in terms of certain predicates being always true. We also discussed dynamic state abstractions in which a repeating sequence of states was defined as a new state at a higher level of abstraction, say “oscillating.” But we have not discussed examples where the predicates involve specific quantitative temporal relations between the state variables. For example, the function of a sawtooth generator is to generate output over time with specified relations over the values at different times. We need to exercise the FR framework in devices of this type. Further, the work of Rieger and Grinberg (1978) in identifying different types of temporal constraints in transitions needs to be integrated with the FR work. ix. Multiple and redundant causal paths in CPD. There are devices in which a function is achieved by different parallel processes, providing redundancy. There are several versions of this type of parallelism. In one, the function is a quantitative one, e.g., so many units of x are to be produced with a number of different causal processes, using different subsystems, each contributing some amount to the functional requirement. In a second, somewhat similar version of this parellelism, if any of the processes fail, the remaining ones pick up the slack. This requires interesting feedback. Such mechanisms are common in biology.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
137
6.2 Logic of Understanding To what degree do computer programs that contain functional representations of devices and make use of them to solve problems really understand the devices they are reasoning about? Whether symbolic representations of this type alone can give computers understanding, even when they perform reasoning feats that correspond to human reasoning, is currently a topic of heated philosophical debate in circles concerned with the foundations of A1 and cognitive science. The minimal claim I would like to make is that the FR framework is an attempt to capture the logical structure of the understanding of certain types of causal processes in the world. The FR displays the elements that participate in the causal process, and highlights relationships between them which the understander believes exist. As the work I have described demonstrates, possession of the logical properties enables the representation to be the basis for many different problem-solving activities.
6.3 Rich Variety of Reasoning Phenomena I have surveyed a body of work built up over the last decade on reasoning about artifacts, about their functions, and about their causal processes, which also underlie the functions. The work is based on the assumption that there is a continuity between reasoning in commonsense domains and technical fields, that ordinary people and technical experts share ontologies and cognitive organizing principles for the generic task of modeling the world as a causal phenomenon, predicting behavior, and synthesizing artifacts. I have emphasized that the real power of intelligent behavior arises from the agent’s ability to organize reasoning and computational resources in a goal-directed way, and the qualitativeness of reasoning is just one aspect of it. FR investigates issues about how causal knowledge is indexed and packaged functionally. I have also indicated how the work reported is complementary to work on qualitative device models. Together they provide an integration of top-down and bottom-up reasoning techniques for efficient goal-directed reasoning. The research area is rich in topics for further expansion and exploitation. The FR framework is just one part of a larger framework that was hinted at in Section 2, one in which reasoning, action, and perception are seen as forming an integrated whole. A1 has been too closely associated with just a “reasoning” paradigm. The process of achieving goals in the physical world is an area of research that can serve as a great arena for developing an integrated A1 perspective.
138
B. CHANDRASEKARAN
ACKNOWLEDGMENTS I would like to acknowledge the contributions of my colleagues and collaborators in FR research over the years, V. Sembugamoorthy, Jon Sticklen, Jack Smith, William Bond, Ashok Goel, Dean Allemang, Anne Keuneke, Lindley Darden, John Josephson, Mike Weintraub, Kathy Johnson, Matt DeJongh, Sunil Thadani, Yumi Iwasaki, Marcos Vescovi, and Richard Fikes. I would like to thank Ashok Goel, Sunil Thadani, Dean Allemang, and Marshall Yovits for reading a draft of this paper and providing a number of useful suggestions for improvement. The research reported here has been supported over the years by DARPA (contract F30602-85C-0010, monitored by Rome Air Development Center, and contract F-49620-89-C-0110 monitored by Air Force Office of Scientific Research), Air Force Office of Scientific Research (grant 89-OZSO), McDonnell Douglas, and BP America.
References Abu-Hanna, A., Benjamins, V. R., and Jansweijer, W. N. H. (1991). Device understanding and modeling for diagnosis. IEEE Expert 6, No. 2, 26-32. Allemang. D. (1990). Understanding Programs as Devices. Ph.D. thesis, Ohio State University. Allemang. D. (1991). Using functional models in automatic debugging. IEEE Expert 6, No. 6, 13-18.
Allemang, D. and Chandrasekaran, B. (1991). Functional representation and program debugging. In Proceedings of the 6th Kno wledge-Based Software Engineering Conference, IEEE Computer Society Press, pp. 136-52. Allemang, D. and Keuneke, A. (1988). Understanding Devices: Representing Dynamic States. Columbus, Ohio: Laboratory for A1 Research, Ohio State University, Technical Report 88-AKDYNSTATES. Bhatta, S. and Goel, A. (1993). Learning Generic Mechanisms from Experiences for Analogical Reasoning. In Proceedings of the FifreenthAnnual Conference of the Cognitive Science Society, Boulder, Colorado. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 237-42. Bonnet, Jean-Charles (1991). Functional Representations: a Support for Enriched Reasoning Capabilities. Stanford University, Knowledge Systems Laboratory, Technical Report KSL 91-58.
Bonnet, Jean-Charles (1992). Towards a Formal Representation of Device Functionality. Stanford University, Knowledge Systems Laboratory, Technical Report KSL 92-54, 1992. Borchardt, G. C. (1993). Causal Reconstruction. Massachusetts Institute of Technology, A1 Lab, Memo 1403. Bradshaw, J. A. and Young, R. M. (1991). Evaluating design using knowledge of purpose and knowledge structure. IEEE Expert 6, No. 2, 33-40. Brajnik, G., Chittaro, L., Tasso, C., and Toppano, E. (1991). Representation and use of teleological knowledge in the multi-modeling approach. Trends in Artifcia1 Intelligence, E. Ardizzone, S . Gaglio, and F. Sorbello (eds.). Berlin: Springer Verlag, pp. 167-76. Brand, M., Birnbaum, L., and Cooper, P. (1992). Seeing is believing: Why vision needs semantics. In Proceedings of the Fourteenth Meeting of the Cognitive Science Society. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 720-5. Bylander, T. (1988). A critique of qualitative simulation from a consolidation viewpoint. IEEE Trans. Systems, Man and Cybernetics 18, No. 2, 252-63. Bylander, T. (1990). Some causal models are deeper than others. Artificial Intefligence in Medicine 2(3), 123-8.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
139
Chandrasekaran, B. and Mittal, S. (1983). Deep versus compiled knowledge approaches to diagnostic problem solving. Int. J. Man-Machine Studies 19(5), 425-36. Chandrasekaran, B., Smith, J. W. Jr., and Sticklen, J. (1989). ‘Deep’ Models and their relation to diagnosis. Artificial Intelligence in Medicine 1, No. 1 , 29-40. Chandrasekaran, B. (1990). Design problem solving: A task analysis. A1 Muguzine 11, No. 4, pp. 57-71. Chandrasekaran, B. and Narayanan, H. R. (1990). Integrating imagery and visual representations. In Proceedings of the 12th Annual Conference of the Cognitive Science Society, Boston, MA. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 670-8. Chandrasekaran, B. (1991). Models vs rules, deep versus compiled, content versus form: Some distinctions in knowledge systems research. IEEE Expert 6 , No. 2, 75-9. Chandrasekaran, B. (1992). QP is more than SPQR and dynamical systems theory: Response to Sacks and Doyle. Computational Intelligence 8(2), 216-22. Chandrasekaran, B., Goel, A., and Iwasaki, Y. (1993). Functional representation as design rationale. IEEE Computer, Special Issue on Concurrent Engineering, 48-56. Chapman, D. (1990). Vision, Instruction and Action. MIT A1 Lab, Cambridge, MA. Chittaro, L., Tasso, C., and Toppano, E. (1993a). Putting functional knowledge on firmer ground. Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence-93 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 23-30. Chittaro, L., Guida, G., Tasso, C., and Toppano, E. (1993b). Functional and teleological knowledge in the multi-modeling approach for reasoning about physical systems: a case study in diagnosis. IEEE Transactions on Systems, Man and Cybernetics (to appear). Craik, K. (1967). The Nature of Explanation. Cambridge University Press, Cambridge, UK and New York, NY. Darden, L. (1990). Diagnosing and fixing faults in theories. Computational Models of Scientific Discovery and Theory Formation. J. Shrager and P. Langley (eds.). Hillsdale, NJ: Lawrence Erlbaum, pp. 319-46. Darden, L. (1991). Theory Change in Science, Strategies from Mendelian Genetics. Oxford University Press, Oxford. Darden, L. (1992). Strategies for Anomaly Resolution. In Cognitive Models of Science, Giere, L..(ed.), Minnesota Studies in the Philosophy of Science, Vol. 15. Minneapolis: University of Minnesota Press, pp. 251-73. Davis, R. (1984). Diagnostic reasoning based on structure and function. Artificial Intelligence 24, 347-410. DeJongh, M. (1991). Integrating the Use of Device Models with Abductive Problem Solving, Ph.D thesis, Department of Computer and Information Science, Ohio State University. de Kleer, J . (1985). How circuits work. In Qualitative Rasoning about Physical Systems, D. G. Bobrow, MIT Press. de Kleer, J. and Brown J. S. (1983). Assumptions and ambiguities in mechanistic mental models. In Mental Models, D. Gentner and A. Stevens (eds.). Hillsdale, NJ: Lawrence Erlbaum, pp. 155-90. de Kleer, J . and Brown, J. S. (1984). A qualitative physics based on confluences. Artificial Intelligence 24, 7-83. Di Manzo, M., Trucco, E., Giunchiglia, F., and Ricci, F. (1989). FUR: Understanding functional reasoning. Int. J. Intelligent Systems 4, 431 -57. Doyle, R. J. (1988). Hypothesizing Device Mechanisms: Opening up the Black Box. Ph.D. dissertation AI-TR 107, MIT Artificial Intelligence Laboratory. Faltings, B. (1992). A symbolic approach to qualitative kinematics. Artificial Intelligence 56, NO. 2-3. 139-70.
140
B. CHANDRASEKARAN
Fikes, R., Gruber, T., Iwasaki, Y., Levy, A., and Nayak, P. (1991). How Things Work Project Overview. Stanford Univeresity, Knowledge Systems Laboratory, Technical Report KSO 91-70, 1991. Fink, P. K. and Lusth, J. C. (1987). Expert systems and diagnostic expertise in the mechanical and electrical domains. IEEE Trans. Systems, Man and Cybernetics SMC-17(3), 340-9. Forbus, K. D. (1984). Qualitative process theory. Artifcial Intelligence 24, 85-168. Forbus, K. D. (1988). Qualitative Physics: Past, Present and Future. In Exploring Arti$cial Intelligence, H. Shrobe (Ed.). San Mateo, CA: Morgan Kauffman, pp. 239-96. Franke, D. W. (1991). Deriving and using descriptions of purpose. IEEE Expert 6, No. 2, 41-7. Freeman, P. and Newell, A. (1971). A model for functional reasoning in design. In Proceedings of the Second International Conference on Artvicial Intelligence (IJCAI-71). London, England. Gero, J. S., Tham, K. W. and Lee, H. S. (1992). Behaviour: a link between function and structure in design. Intelligent Computer Aided Design. D. Brown, M. Waldron and H. Yoshikawa (eds.). Amsterdam, Netherlands: North-Holland, pp. 193-225. Goel, A. K. (1989). Integration of Case-Based Reasoning and Model-Based Reasoning for Adaptive Design Problem Solving. Ph.D. thesis, Ohio State University, Laboratory for Artificial Intelligence Research. Goel, A. K. and Chandrasekaran, B. (1989). Functional representation of designs and redesign problem solving. In Proceedings of the Eleventh International Joint Conference on Artificial Intelligence, Detroit, Michigan, August 20-25, 1989, Los Altos, CA: Morgan Kaufmann, pp. 1388-94. Goel, A. K. (1991a). A model-based approach to case adaptation. In Proceedings of the Thirteenth Annual Conference of the Cognitive Science Society, Chicago, August 7-10, 1991, Hillsdale, NJ: Lawrence Erlbaum, pp. 143-8. Goel, A. K. (1991b). Model revision: A theory of incremental model learning. In Proceedings of the Eighth International Workshop on Machine Learning, Chicago, June 27-29, 1991. Los Altos, CA: Morgan Kaufmann, pp. 605-9. Goel, A. K. (1992). Representation of design functions in experience-based design. In Intelligent Computer-Aided Design, D. Brown, M. Waldron and H. Yoshikawa (eds.). Amsterdam, Netherlands: North-Holland, pp. 283-308. Goel, A. K. and Chandrasekaran, B. (1992). Case-based design: A task analysis. In Artificial Intelligence Approaches to Engineering Design, Volume II:, Innovative Design, C. Tong and D. Sriram (eds.). San Diego: Academic Press, pp. 165-84. Hayes, P. (1979). The naive physics manifesto. In Expert Systems in the Micro-Electronic Age, D. Mitchie (ed.). Edinburgh: Edinburgh University Press, pp. 242-70. Hodges, J. (1992). Naive mechanics: A computational model of device use and function in design improvisation. IEEE Expert 7, No. 1, 14-27. Hunt, J. E. and Price C. J. (1993). Integrating functional models and structural domain models for diagnostic applications. In Second Generation Expert systems, J. M. David, J. P. Krivine and R. Simmons (eds.). New York: Springer-Verlag. pp. 131-60. Iwasaki, Y. and Chandrasekaran, B. (1992). Design verification through function- and behavior-oriented representations: Bridging the gap between function and behavior. Artifcial Intelligence in Design '92, John S. Gero (ed.). Kluwer Academic Publishers, pp. 597-616. Iwasaki, Y., Fikes, R., Vescovi, M., and Chandrasekaran, B. (1993). How things are intended to work: Capturing functional knowledge in device design. In Proceedings of the 13th International Joint Conference of Artificial Intelligence, San Mateo, CA: Morgan Kaufmann, pp. 1516-22.
FUNCTIONAL REPRESENTATION AND CAUSAL PROCESSES
141
Johnson, W. L. (1986). Intention-based diagnosis of novice programming errors. Research Notes in Artificial Intelligence, Los Altos, CA: Morgan Kaufmann. Johnson, K. P. (1993). Exploiting a Functional Model of Problem Solving for Error Detection in Tutoring. Ph.D thesis, Department of Computer and Information Science, Ohio State University. Jordan, D. S. (1991). The Role of Physical Properties in Understanding the Functionality of Objects, Ph.D thesis, Stanford University. Josephson, J. R. (1993). The Functional Representation Language FR as a Family of Data Types. The Ohio State University, Laboratory for Artificial Intelligence Research, Columbus, OH, Tech Report. Kaindl, H. (1993). Distinguishing between functional and behavioral models. In Reasoning About Function. Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 50-2. Keuneke, A. and Allemang, D. (1988). Understanding devices: Representing dynamic states. Technical Report, Ohio State University, Laboratory for Artificial Intelligence Research. Keuneke, A. (1989). Machine Understanding of Devices: Causal Explanation of Diagnostic Conclusions. Ph.D thesis, Ohio State University. Keuneke, A. and Allemang, D. (1989). Exploring the "No-Function-In-Structure" principle. Journal of Experimental and Theoretical Artificial Intelligence 1, 19-89. Keuneke, A. (1991). Device representation: The significance of functional knowledge. IEEE Expert 6 , No. 2, 22-5. Kuipers, B. (1986). Qualitative simulation. Artificial Intelligence 29, 289-388. Laird, J. E., Newell, A., and Rosenbloom, P. S. (1987). SOAR: An architecture for general intelligence. Artificial Intelligence 33, 1-64. Levi, K. R., Moberg, D., Miller, C. A., and Rose, F. (1993). Multilevel causal process modeling: Bridging the plan, execution, and device implementation gaps. In Proceedings of the 1993 Conference on Applications of AI: Knowledge-Based Systems in Aerospace and Industry, Orlando, FL, Bellingham, WA: SPIE-The International Society for Optical Engineering, pp. 240-50. Lind, M. (1990). Representing Goals and Functions of Complex Systems-An Introduction to Multilevel Flow Modeling. Technical Report, Institute of Automatic Control Systems, Technical University of Denmark, Lyngby, Denmark. Liver, B. (1993). Working around faulty communication procedures using functional models. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program, pp. 95-101. Low, C. M. and Iwasaki, Y. (1993). Device modeling environment: an interactive environment for modeling device behavior. Intelligent Systems Engineering 1, No. 2, 115-45. Malin, J. T. and Leifker, D. B. (1991). Functional modeling with goal-oriented activities for analysis of effect and failures on functions and operations, Telematics and Informatics 8, (4),353-64. Moberg, D. and Josephson, J. (1990). Diagnosing and fixing faults in theories, Appendix A: An implementation note. In Computational Models of Scientific Discovery and Theory Formation, J. Shrager and P. Langley (eds.). San Mateo, California: Morgan Kaufmann, pp. 341-53. Murray, W. R. (1988). Automatic program 2ruugging for intelligent tutoring systems. Research Notes in Artificial Intelligence, Los Altos, CA: Morgan Kaufmann. Narayanan, Hari N. and Chandrasekaran, B. (1991). Reasoning visually about spatial interactions. In Proceedings of the 12th International Joint Conference on Artificial Intelligence, Sydney, Australia, August 1991, Mountain View, CA: Morgan Kaufmann, pp. 360-5.
142
6.CHANDRASEKARAN
Patil, R. S., Szolovits, P., and Schwartz, W. B. (1981). Causal understanding of patient illness in medical diagnosis. In Seventh International Joint Conference on Artificial Intelligence, Vancouver, British Columbia, pp. 893-9. Pearl, J. (1986). Fusion, propagation, and structuring in belief networks. Artificial Intelligence 29, NO. 3, 241-88. Pearl, J. and Verma, T. S. (1991). A theory of inferred causation. In Proceedings of the International Conference on Knowledge Representation. Pegah, M., Sticklen, J., and Bond, W. (1993). Functional representation and reasoning about the F/A-18 aircraft fuel system. IEEE Expert 8, No. 2, 65-71. Pittges, J., Eiselt, K., Goel, A. K., Garza, A. G. S., Mahesh, K., and Peterson, J. (1993). Representation and use of function in natural language understanding. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 1 14-20. Prabhakar, S. and Goel, A. K. (1992). Integrating case-based and model-based reasoning for creative design: Constraint discovery, model revision and case composition. In Proceedings of the Second International Conference on Computational Models of Creative Design, Heron Island, Australia. December 1992. Kluwer Academic Press. Rieger, C. and Grinberg, M. (1978). A system of cause-effect representation and simulation for computer-aided design. In Artificial Intelligence and Pattern Recognition in ComputerAided Design, Latombe (ed.). North Holland, pp. 299-333. Rivlin, E., Rosenfeld, A., and Perlis, D. (1993). Recognition of object functionality in goal-directed robotics. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 126-30. Sacks, Elisha P. and Doyle, Jon (1992). Prolegomena to any future qualitative physics. Computational Intelligence (Blackwell) 8, No. 2, 187-209. Sembugamoorthy, V. and Chandrasekaran, B. (1986). Functional Representation of Devices and Compilation of Diagnostic Problem-Solving Systems. In Experience, Memory, and Learning, J. Kolodner and C. Riesbeck (eds.). Lawrence Erlbaum Associates, pp. 47-73. Simon, H. A. (1991). Nonmonotonic Reasoning and Causation: Comment. Cognitive Science 15, NO. 2, 293-300. Stadlbauer, H. (1991). Functional skeletons: From specification to design. INFA-report, Institute for Flexible Automation, Technical University of Vienna, Austria. Stark, L. and Bowyer, K. W. (1991). Achieving generalized object recognition through reasoning about association of function to structure. IEEE Trans. Pattern Analysis and Machine intelligence, 13, 1097-1 104. Steels, L. (1989). Diagnosis with a function-fault model. Applied Artificial Intelligence Journal 3 , No. 2-3, 129-53. Sticklen, J. H. (1987). MDX2, an integrated medical diagnostic system, Ph.D. dissertation, Ohio State University. Sticklen, J. and Chandrasekaran, B. (1989). Integrating classification-based compiled level reasoning with function-based deep level reasoning. Applied Artificial Intelligence 3, NO. 2-3, 275-304. Sticklen, J., Chandrasekaran, B., and Bond, W. E. (1989). Distributed causal reasoning. Knowledge Acquisition 1, 139-62. Sticklen, J., Kamel, A. and Bond, W. E. (1991). Integrating Quantitative and Qualitative Computations in a Functional Framework. Engineering Applications of Artificial Intelligence 4(1), 1-10.
FUNCTIONAL REPRESENTATIONAND CAUSAL PROCESSES
143
Sticklen, J. and Tufankji, R. (1992). Utilizing a functional approach for modeling biological systems. Mathematical and Computer Modeling 16, 145-60. Sticklen, J., McDowell, J. K., Hawkins, R., Hill, T., and Boyer, R. (1993). Troubleshooting based on a functional device representation: diagnosing faults in the external active thermal control system of space station FREEDOM. In SPIE Applications of Artificial Intelligence XI: Knowledge-based Systems in Aerospace and Industry, U. Fayad (ed.). Orlando, FL, SPIE. Stroulia, E., Shankar, M., Goel, A. K., and Penberthy, L. (1992). A model-based approach to blame assignment in design. In Proceedings of the Second International Conference on AI in Design., Kluwer Academic Press, pp. 519-38. Stroulia, E. and Goel, A. K. (1992). Generic teleological mechanisms and their use in case adaptation. In Proceedings of the Fourteenth Annual Conference of the Cognitive Science Society. Hillsdale, NJ: Lawrence Erlbaum Associates, pp. 319-24. Stroulia, E. and Goel, A. K. (1993). Using functional models of problem solving to learn from failure. Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence, 1993 Workshop Program. Menlo Park, CA: American Association for Artificial Intelligence, pp. 157-63. Sun, J. and Sticklen, J. (1990). Steps toward tractable envisionment via a functional approach. In The Second AAAI Workshop on Model-Based Reasoning, American Association for Artificial Intelligence, Boston, pp. 50-5. Sycara, K. and Navinchandra, D. (1989). Integrating case-based reasoning and qualitative reasoning in engineering design. In ArtificiolIntelligencein Engineering Design, J. Gero (ed.). Southampton, UK: Computational Mechanics Publications, and Heidelberg, Germany: Springer Verlag, pp. 232-50. Thadani, S. (1994). Constructing functional models of a device from its structural description. Ph.D thesis, Department of Computer and Information Science, The Ohio State University. Thadani, S. and Chandrasekaran, B. (1993). Structure-to-Function Reasoning. In Reasoning About Function, Amruth N. Kumar (ed.). American Association for Artificial Intelligence 1993 Workshop Program, pp. 164-71. Toth, S. (1993). Using Functional Representation for Smart Simulation of Devices, Ph.D thesis, Department of Computer and Information Science, The Ohio State University. Ulrich, K. T. and Seering, W. P. (1988) Function sharing in mechanical design. In Proceedings of AAAI-88, American Association for Artificial Intelligence, pp. 450-4. Umeda, Y., Takeda, H., Tomiyama, T., and Yoshikawa, H. (1990). Function, behavior and structure. Applications of Artificial Intelligence in Engineering V, Vol. I : Design, Computational Mechanics Publications, Southampton, pp. 177-93. Vescovi, M., Iwasaki, Y., Fikes, R., and Chandrasekaran, B. (1993). CFRL: A language for specifying the causal functionality of engineered devices. In Proceedings of the Eleventh National Conference on AI, American Association for Artificial Intelligence, AAAI Press/MIT Press, pp. 626-33. Weintraub, M. A. (1991). An Explanation-Based Approach to Assigning Credit, Ph.D. dissertation, The Ohio State University, Department of Computer and Information Science, Columbus, OH. Weiss, S., Kulikowski, C., and Amarel, S. (1978). A model-based method for computer-aided medical decision-making. Artificial Intelligence 11, 145-72. Welch, R. V. and Dixon, J. R. (1992). Representing function, behavior and structure during conceptual design. In Design Theory and Methodology DTM'92, D. L. Taylor and L. A. Stauffer (eds.). American Society of Mechanical Engineers, pp. 11-18. Weld, D. (1986). The use of aggregation in causal simulation. Artijicial Intel/igence30(1),1-34.
This Page Intentionally Left Blank
Computer-Based Medical Systems JOHN M . LONG' Department of Surgery University of Minnesota Minneapolis. Minnesota
1 . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . Automation and the Healing Arts: The Changing World of Medicine in the Information Age . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 TheIssues . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Information Age Medicine . . . . . . . . . . . . . . . . . . . 2.3 The Nature of Medical Computing . . . . . . . . . . . . . . . 3 . Special Issues in Medical Computing . . . . . . . . . . . . . . . . . 3.1 Legal and Ethical Issues . . . . . . . . . . . . . . . . . . . . 3.2 Validation, Regulation, and Standardization: A Dilemma . . . . . . 4 . A Review of Computer-Based Medical Systems . . . . . . . . . . . . 4.1 Automated Medical Records Systems: Problems and Opportunities . 4.2 Clinical Assessment and Risk Evaluation . . . . . . . . . . . . . 4.3 Imaging Systems . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . 5 . Artificial Intelligence in Medicine . . . . . . . . . . . . . . . . . . . 5.1 Expert Systems . . . . . . . . . . . . . . . . . . . . . . . . 6 . Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . 6.1 A Brief Look Toward the Future . . . . . . . . . . . . . . . . 6.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . General . . . . . . . . . . . . . . . . . . . . . . . . . . . B. Validation. Regulation. and Standardization . . . . . . . . . . . C . Automated Medical Records Systems . . . . . . . . . . . . . . D . Clinical Assessment and Risk Evaluation . . . . . . . . . . . . . E . Artificial Intelligence and Neural Networks . . . . . . . . . . . . F . Imaging Systems . . . . . . . . . . . . . . . . . . . . . . . 0. Medical Devices . . . . . . . . . . . . . . . . . . . . . . . .
. . . 145
. . . . . . . . .
. . . . . .
. . . . . .
. . . . . . . . . .
. . . .
. . . .
. . . . . . . . . . . .
. . . . . .
. . . . . . . .
. . . . .
. . . . .
147 147 149 155 158 158 159 161 161 162 163 164 165 166 177 177 179 180 180 181 183 183 187 190 191
1. Overview The notion of computer-based medical systems embraces the full range of computer systems-both hardware and software-that are designed and
' Current address: 2676 Manson Pike. Murfreesboro. Tennessee . ADVANCES IN COMPUTERS. VOL . 38
145
.
Copyright 0 1994 by Academic Press Inc . All rights o f reproduction in any form reserved . ISBN 0-12-012138-7
146
JOHN M. LONG
built for use in a medical environment. These include embedded computers (hardware and software) found in medical devices. Systems used in conjunction with patient care are emphasized. This article is concerned with the process of engineering, inventing, designing, developing, and implementing computer-based medical systems. Manufacturers of both hardware- and software-based systems face special commercialization challenges. Regulatory agencies throughout the world are developing new ways to monitor product safety, but few standards exist for the embedded software in medical products. In addition to the software that comes with a device, regulatory agencies are also concerned with all the software used in creating medical devices, including production-equipment software and automated test equipment software. It is incumbent on engineers to demonstrate that all medical software is developed and validated under established practices. There is a special group of software-based systems characterized by processing ability. These range from health information systems to database managers. A major role is to support knowledge management. Patient care can no longer depend solely on the memorized knowledge of the individual doctor. Virtually all recent medical knowledge and literature in Index Medicus has been automated by the National Library of Medicine and is now available to doctors at their office terminals. Artificial intelligence techniques are needed to assimilate the huge volume of information cataloged in these computer systems. A whole new discipline, variously called medical informatics, medical computing, or computational medicine, is evolving (Shortliffe et al., 1990). Individual patient data have also become more accessible and manageable through the use of computer-based medical systems. Computers are now used in hospitals to track patients, to process and disseminate test results, to ensure that the appropriate medication is used, to apply for insurance reimbursement, and to record patient outcomes as a quality-ofcare metric. Similar applications are appearing in doctors’ offices (Oberst and Long, 1987). The overriding issues here are those of regulation, validity, and reliability. Intertwined with these issues are moral and ethical concerns. As already mentioned these systems are sometimes based on hardware, sometimes on software, and often on some combination of both. The overall organization of the chapter falls into several broad categories. The next two sections deal with issues that are a direct consequence of the use of computers and automation in medicine. This is followed by a discussion of the ways in which computers are becoming a part of clinical practice. A general overview of applications of artificial intelligence in
COMPUTER-BASED MEDICAL SYSTEMS
147
computer-based medical systems comes next. A few general remarks bring this discussion to a conclusion. An important part of this chapter are the references listed in the Reference Sections A through G. It has been ten years since a paper devoted to a medical topic has appeared in Advances in Computers (O’Kane, 1983). Several earlier articles related to the field of medicine have appeared. An early chapter on biomedical pattern recognition was written by a pioneer in the field (Ledley, 1966). Alan Westin discussed problems related to computers and privacy, problems that continue to be a vital issue in medicine (Westin, 1973). More recently, Kent Norman discussed models of information flow and control between humans and computers with medical overtones (Norman, 1988).
2. Automation and the Healing Arts: The Changing World of Medicine in the Information Age 2.1 The Issues Very dramatic changes are taking place, brought on by computers and automation, especially in the more technologically advanced segments of our society. The world of medicine is not immune. Indeed these unrelenting changes are infiltrating medicine in a far more pervasive way than even those closest to medicine, the doctors, seem to realize. Here are some of the fundamental aspects of medical practice that are being challenged: Control. Who controls the practice of medicine? Traditionally, and in most areas of the world, legal control resides with the medical doctor. As we shall see, computer-based medical systems create environments that seriously challenge the doctor’s ability to retain control. It seems almost inevitable that at least some of this control will be lost. Regulation. In addition to the professional controls, the health care industry is also closely regulated by the government. There are regulations on medical devices, drugs, licensing of various levels of health professionals, and other areas as well. The current system of regulations is being challenged in fundamental ways by computers and automation. This is illustrated by efforts of the United States Food and Drug Administration (FDA) to regulate certain types of computer-based medical systems, even though the concept of regulating computer software is quite foreign to the original purpose of the FDA.
148
JOHN M. LONG
Art versus science. Both the art and the science of medicine are important. The essential role of both aspects of this spectrum is challenged by computer-based medical systems. During most of this century, medicine has been continuously moving more and more toward the science end of the art-versus-science spectrum. The role of such human qualities as compassion is constantly being challenged by new technology and science. Computers and automation introduce an interesting element in this equation because it expands it in both directions, or at least has the potential to do so. Automation is extending the technical and scientific aspects of medicine far beyond what anyone might have expected a few years ago. At the same time, it also opens up the way to vast improvements in the art, the human qualities, of medicine. It seems ironic and, to some, even inconceivable, that computers and automation can expand the compassionate aspects of medicine. The creative use of computers allows the technical and scientific aspects to become more invisible to the patient and allow the human qualities to be more visible. Further, human-like qualities can be programmed into these systems using artificial intelligence technology. Dignity and privacy. Computers and automation challenge individual privacy in many new ways. It is true that this problem goes far beyond the field of medicine, but medical information certainly represents some of the most sensitive information collected about individuals. Such data are far more vulnerable when stored in databases and on personal medical record cards (Long et al., 1987). Respect for personal human dignity is challenged when privacy is challenged. However, the challenge of computers and automation to our ability to respect human dignity goes beyond the invasion of privacy. Computer-based medical systems allow us to artificially extend life in forms or states that many consider degrading or unfeasible or inhumane. They allow us to reduce human dignity with gadgetry. Costs. Medical high tech devices, based mainly in computer technology, are increasing the cost of medical care. At the same time, computers make it possible to micromanage medical costs. The implications of these two trends are great. Here is one example. Computers and automation challenge the long-established practice of concealing the cost of some clinical teaching and research in the clinical charges billed the patient and, ultimately, medical insurers and the government. For years, federal accountants, health insurance companies, and others have attempted with limited success to find ways of measuring and disallowing such charges. Computers and automation are finally allowing them to succeed.
COMPUTER-BASED MEDICAL SYSTEMS
149
Clinical research. Not all the challenges to medicine brought on by automation are disruptive or harmful. Indeed, there are many truly exciting new possibilities. Among the most revolutionary are the new ways of perceiving of and conducting clinical research, ways that can ameliorate or eliminate many of the problems currently facing medical research, including those related to informed consent, privacy, and animal usage. These new ways are intricately associated with the standardization and automation of medical records (Long, 1986). The potential synergism between standardized and automated medical records and clinical practice, like that between teaching and research, represents a major beneficial outcome of information age medicine. Some may challenge whether or not any (or all) of these fundamental changes are really happening, or whether they can or will occur. And some of those who have seen these trends may not believe that computer-based medical systems are the fundamental causative factor here. If computers are not the cause, they most certainly are enablers. The process can be slowed down or speeded up and, of course, false and/or wrong starts (wrong technically, wrong legally, wrong morally, wrong ethically) have, can, and will occur. Computers and automation are either causing or facilitating the information age revolution in medicine, and there appears to be virtually nothing that will stop it. Twenty or fifty years from now, in places where the best medicine is practiced, that practice is more likely to look like “Star Trek” than today’s modern medicine.
2.2 2.2.1
Information Age Medicine
The Airline Analogy
We hear our emerging computer-based society referred to more and more frequently as the “information age,” usually in comparison to the earlier “industrial age.” It is not always clear just exactly what is meant by the term “information age.” As used here, it can best be explained by an analogy, by looking at what has happened in those segments of the airline industry that have already moved into the information age. Let’s focus on the airline reservation system for a moment. The following is not historically correct in every detail but we will use it to make a point and to provide insights. The initial motivation for automating airline reservations was to bring order and continuity into the system. Computers were used to automate the files representing seat spaces on flights in such a way that the file of spaces available shrunk as tickets were sold. Spaces were maintained in a central computer and sold and reserved from any
150
JOHN M. LONG
destination in the airline’s system using a communications network. The initial problem was solved! It is interesting to note that the solution required a merger of communications and computers, a merger that is essential for virtually all information age systems. Things did not stop there. Once the original problem was solved, an interesting form of synergism began to occur. Here are some of the events that ensued. The computer terminals, used initially at airline ticket counters to reserve and sell spaces, were next placed at many other convenient locations beneficial to the airline and the public, places like central reservation centers and travel agencies. Devices were added that automatically printed tickets, eliminating the need to write out tickets and making them more legible. The “seat space” .file in the computer was expanded to include the name of the person who bought the space. Later it was further expanded to include the specific location of the space on the aircraft (seat selection). Another level of synergism was created as these expanded features were added to the system. Passenger lists could now be generated automatically. The entire airline’s flight schedule was stored in the computer as well as being on-line, providing an easy reference for many uses not originally anticipated. The schedules of other airlines were merged into a single file, providing a complete on-line schedule of all airlines. These impressive achievements do not yet meet this paper’s definition of an information age system. Somewhere along the way, airlines began to realize that the data captured by the reservation system had much more potential. Each airline began to exploit these data in order to improve and personalize their services and to gain business advantages over competitors. Reservation systems became a tool for achieving strategic advantage. By controlling the schedules of all airlines in the on-line listings, an airline that maintained these listings could, and, in various subtle and not so subtle ways, did direct business to themselves. The advantages were so effective that government regulations were established to provide control. One estimate points to a 10% to 15% advantage for the airline maintaining the reservation system that still exists in spite of these regulations. Schedules were improved. By having its entire schedule in an on-line display and available for sophisticated mathematical modeling, the plan became more comprehensible, allowing deeper insights and a more comprehensive analysis regarding the proper timing and destinations of flights from any given point in the system. Customer services were personalized. Individual customer profiles could be developed from the existing database, which held such data as seat preference, frequency of travel, and travel patterns.
COMPUTER-BASED MEDICAL SYSTEMS
151
Airlines are using the information automatically captured by its reservations system in conjunction with artificial intelligence technology to create and implement flexible strategies so as to more completely fill the seats on flights while minimizing the number of cheaper seats that have to be sold in order to accomplish this goal. For example, airlines continuously monitor the rate of seat sales and modify the mix of types of tickets made available to maximize the number and price of sold spaces. They also use the data and various automated strategies to decide the frequency, timing, and destination of flights, and to optimize aircraft usage. The process is continuing and the ultimate end of the synergism is not in sight. The possibilities seem to be limited only by the creativity of its users. Isn’t it interesting that the human creative process seems to be expanding as the automation process moves along. In many cases, business advantage, even survival, depends on such creative usages of information. These creative and synergistic uses of information by the airline industry illustrate our concept of the emerging information age.
2.2.2 Regulation and Control There are at least two separate issues in the control of medicine. First are the concerns about the individual’s ability to control his or her own health care. Second is deciding who is to control the practice of medicine. Neither of these issues are grounded in automation and computers, but computers and automation provide many more options regarding control than are available in the pre-information age. The designer and builder of computerbased medical systems has the potential to exercise a great deal of de facto control. Consider how the airline reservation system eventually became the critical element of an airline’s operations and survival. Legally, the doctor is in control of health care and responsible for its outcome. This is not likely to change, though de fucto control is already shared with a number of outside influences, many of which depend upon computer-based medical systems. In theory, all the aspects of medicine that cannot be directly controlled by doctors in their medical practices, such as medical devices and drugs, are regulated by the government. Computerbased systems, especially expert systems and other systems based on artificial intelligence, also challenge this current simplistic solution by confusing the traditional boundaries between medical practice and government regulation. Controlling a process would seem to involve a conceptual understanding of the process. It may be that, as computer-based medical systems become more complex, conceptual understanding of these systems will be beyond the capacity of any one individual. Indeed, that may be the case already.
152
JOHN M. LONG
Shared control/responsibility seems essential. For example, there really is no well-established way of certifying medical software. Experts, probably non-doctors, must examine the software to see if it is done well. The doctors who use such systems must ultimately rely on these other experts along with their own intuition and other highly subjective feelings to judge the value and meaning of the output of these computer-based medical systems. These factors are all part of the decision as to when and how to use that output in the diagnosis and treatment of a patient. Computer-based medical systems substantially increase the complications associated with medical regulations. In the United States, the FDA is the agency designated to protect the health and safety of the public. The traditional role of the FDA has been expanded to include medical devices, many of which now have embedded computers. These embedded computers are increasing in complexity and more and more often are programmable, that is, they include software as well as hardware. Furthermore, many computer-based medical systems that are basically software require FDA oversight. These software systems include medical expert systems that can select and implement patient protocols. The regulation of these systems requires approaches different than those established by the FDA for drugs. The FDA plan to regulate computer-based medical systems that do not directly interact with a patient goes something like this: If there is a clear division between the physician’s actions on behalf of a patient and the computer-based system, the designer/builder of the system is not “practicing medicine.” What this says is that in such systems the physician observes the output of the computer and then accepts or rejects its results in deciding how to treat the patient. Increasingly sophisticated computerbased medical systems will only further complicate regulation and control of medical practice in the information age. New structures are needed to manage and effectively use this medical information. This is especially true for expert systems. We discuss this issue more fully in Section 5.1.6. Some of the motivation for greater regulation and shared control of medical practice has been cost containment and has come from the wrong place (i.e., outside the profession). Interestingly enough, these controls rely almost entirely on computer-based information. They include control over how long a patient can be hospitalized, what procedures should be performed, and how many and what drugs are dispensed. In the minds of many, the synergistic potential of computer-based medical systems has, so far, focused on negative aspects, such as cost containment, when they should have been on positive issues, such as improved patient care. If properly managed, we can expect both improved care and cost containment to be the ultimate result. Computer-based medical systems can provide support for an expanded
COMPUTER-BASED MEDICAL SYSTEMS
153
role of paramedics in patient care. This includes, of course, nurses, physicians’ assistants, and other health-care providers. In addition, a whole new set of health professionals may appear, for example, “medical information specialists” who review, digest, and prepare input to the medical databases which support these new health care delivery systems. Such specialists must keep these systems current by incorporating new developments in medical research. They could also provide statistical analyses of the effectiveness of existing treatment protocols, examining, for example, the effectiveness of drugs and treatment regimens in terms of outcome, that is, what worked and in which subpopulations. The good news is that automation and computers could also help these specialists evaluate computer-based systems by tracking, in a fair amount of detail, the final results of using the system’s output. Ultimately, the system could comprehensively evaluate itself. This type of application is one example of the potential synergism one can expect from computer-based medical data in the information age. At the same time that computer-based medical systems are making inroads into medical practice and upsetting the traditional regulation and control mechanisms, these same systems are opening the way for individuals to exercise greater control over their own individual health care. Reasonably intelligent individuals have at their disposal enough information to be able to take care of an increasing number of their own health problems. This is especially true regarding well care or preventive care. An extensive library of information on virtually the entire current medical literature can now be retrieved on a home computer terminal.
2.2.3 Litigation We live in a litigious society. Medical practice has been a primary target. The effect has been to place limitations on medical practice. Litigation is one more force that is wresting control and authority from the doctors. It has raised costs that are already too high. It has also produced increases in insurance premiums, both to pay for what, at times, seems unreasonably high awards to litigants and to pay for extra procedures in day-to-day medical practice solely as a protection or defense against potential lawsuits. Hopefully, the political process will eventually eliminate or, at least, curtail the negative aspects of this trend. But whether or not this ever happens, information age medicine will change the character of the problem and could, indeed, solve certain aspects of the problem. Here are some of the ways. First, as we have already discussed, computers make it possible to contain and manage the vast volume of medical knowledge, making it more
154
JOHN M. LONG
accessible. It also makes it possible to maintain this knowledge in a more up-to-date manner. This knowledge base can be used to help establish acceptable standards of medical practice. It can be made available to all doctors in a timely manner and at a relatively low cost. This should reduce disagreements regarding “standard and acceptable” medical care. Second, enough information about an individual patient can be made readily available to allow the doctor to treat the patient from a position of knowledge. For example, technology already exists that allows a creditcard-sized medical record to contain a patient’s entire medical history, including photographs, ECGs, radiograms, and even cine angiograms (Long et al., 1987). Finally, the above two elements of information can interact in a broader context in a synergistic way if statistical methods are applied to continuously evaluate the vast amount of data being accumulated. These statistical analyses can provide ongoing updates t o the medical knowledge bases regarding the effectiveness of various protocols. They can even be used to discover new facts, for example, which medications interact, both for benefit and for harm, and on which patient subpopulations. These data can help define when and how t o use medication. Similarly, they can identify which treatment regimes or protocols work and under what conditions. In other words, these data can be accumulated as an integral part of clinical care and fed back into the system, thus closing the loop. Questions that can be formulated in a closed-loop system include: What is the best way of determining the health status of a patient? Which characteristics imply a certain condition of health, either wellness or illness? and Which actions or inactions are effective? The relevant point is that these information age knowledge bases, which either already exist or are entirely within the realm of the possible today, can provide enough information to resolve many current legal issues related to malpractice. We can know, or find out, how perfect or imperfect our system is. The ever-present risks of medical practice can be more accurately defined. Much of the guesswork can be replaced by predictable chance. One would hope that such predictable chance can thus be defined and known in advance of medical treatment. One might hope that this could eliminate much current litigation.
2.2.4 Structure The structure of medical care is already changing in subtle and not so subtle ways. Although it is not very likely that the doctor’s relative position at the top of the hierarchy is going t o change much, computer-based systems are employing and will increasingly employ complex knowledge bases and
COMPUTER-BASED MEDICAL SYSTEMS
155
decision logics which will have consequences that are difficult to fully predict. It is only a matter of time before such computer-based systems will make recommendations that the doctor will be unable to properly assess without extensive help external to himself/herself. It is easy to conceive of such a system recommending a best solution that the doctor will not be able to recognize as such, possibly rejecting it. In areas outside medicine, such solutions that go counter to “common knowledge” have already occurred. The traditional structure of medical practice is evolving toward the use of a team approach. The doctor will remain as leader with control and authority shared with other team members. At least two team member types that do not now exist can be identified. One is the new kind of medical information specialist we have already described, and the other a computerized medical records specialist. The latter’s role will be expanded as s/he becomes an active team member as opposed to the essentially passive role of medical records people today. In summary, the apparent structure of medical practice may not change that much, but the de fucto structure is changing and will continue to change. Computer-based medical systems, the systems that are ushering in the information age of medicine, can be helpful or harmful; moral, amoral, or immoral; humanizing or dehumanizing; disruptive or unifying-it all depends on whether or not we use them properly. Computer-based medical systems must be viewed as strategic instruments for managing and assimilating the vast arena of medical knowledge so that this knowledge can be effectively applied to the treatment of illness and the maintenance of wellness. These same knowledge bases can be further exploited in synergistic ways to find out, for example, which treatment protocols are effective, and to then use this knowledge to improve the overall system of health care.
2.3 The Nature of Medical Computing The medical community has been slow to accept and use automation. For many years automation was confined primarily to hospital business office applications, such as billing, scheduling, inventory, bed census, and the like. Similarly, its impact on private practice has been almost negligible and primarily confined to billing and a few office management aids. The real potential for automation in the clinical practice of medicine has yet to be achieved. Information age medicine has not yet arrived. The reasons are understandable. Medical practice is, of necessity, conservative. Changes come about only after they have been subjected to careful evaluation and are proven beneficial. Medical practitioners are busy, self-directed people who have little time for new and unproven concepts.
156
JOHN M. LONG
There has been a serious communication gap between the computer specialist and the medical practitioner. Computer specialists have difficulty understanding how a medical practice really works. The problem has been aggravated by a tendency to gloss over many of the complexities related to automation. Finally, and perhaps most important, the medical profession is steeped in the personalized one-to-one physician-patient relationship. Many physicians see automation as a threat to this relationship. The potential for automation in medical practice is nevertheless being recognized by more and more physicians. The 1990s will see a substantially increased use of automation in the clinical aspects of medical practice. In the past, there was little pressure on the physician in private practice to automate the office in order to keep up. There are several reasons why the climate is becoming increasingly favorable to private practice office automation. The tremendous increase in paperwork required by government and by insurance carriers has already caused many offices to use automation, at least for billing purposes. Once this happens, the potential benefit in other applications becomes more obvious and it becomes easier to implement these applications. Many doctors in practice today have seen the beneficial uses of automation in their training programs in countless experimental and operational applicatioins. Similarly, many hospitals, where the original uses of computers were business oriented, are now expanding their use of the computer into clinical areas. Computer companies and many computer service vendors, seeing the tremendous business potential, are promoting the use of computers in medical practice. Similar potential exists in the physician’s office. The physician’s office contains a number of systems that operate more or less simultaneously. Usually, each system consists of a set of policies and procedures defining how the system operates, a means of providing a serviceor function (such as space and equipment), forms or some other means of recording data, and, most important, personnel trained to make the system operate properly. When all of the interlocking systems in the office have been described, the office operations are defined and open to the use of computers (Oberst and Long, 1987).
2.3.1 Special Characteristics of Clinical Databases Commercial database management systems (DBMS) are not designed to handle the storage of clinical data because clinical data are found in so many formats: (a) Most laboratory results can be stored in computers because these data are usually precise numerical measurements made on an absolute or relative scale.
COMPUTER-BASED MEDICAL SYSTEMS
157
(b) Clinical observations are often reported on a finite-point scale and can be stored in a computer. Binary scales are frequently used to indicate the presence or absence of a sign or symptom, a positive or negative result, or an increase or decrease in some observed phenomenon. Multiple point scales such as “much better,” “better,” “no change,” “worse,” or “much worse” can also be recorded in a computer. (c) Symbolic scales are a little harder for computers to handle. Findings reported in English words such as color, texture, softnesslhardness, tenderness, swelling, and appearance can be stored without too much difficulty, but they are harder to compile and evaluate because of their open format and subjective nature. (d) Results plotted on a graph, such as ECGs, require special equipment and software in order to be stored in a computer. ECG signals can be digitized (many modern ECG charts are digital) but merging a digital version of an ECG into an automated medical database is a complex procedure that cannot be performed in a typical commercial DBMS. Of course, the results of an evaluation of an ECG can be stored. (e) Clinical results recorded on film (x-rays, coronary cines, xanthomas) are even harder to store electronically. These can be scanned, digitized, and stored. In fact, more and more of them are being recorded originally in a digital form. However, the capacity to store and read film electronically is beyond the capabilities of the DBMSs used in the local physician’s office. New multimedia systems can solve this problem. (f) Time-dependent results, such as tables of temperature and blood pressure, can be stored and the results summarized in very useful ways. Time plots, although a bit complex, probably can be handled by certain existing commercial DBMSs.
No known DBMSs can simultaneously store the wide variety of variables we have described in an efficient manner, if at all, let alone merge them into a coherent whole. But that is precisely what is needed! The new multimedia systems now being developed would seem to be most relevant to the field of medicine. Such comprehensive systems are imminent. As this chapter goes to press, the general news media are publicizing an announcement by the Microsoft and Intel Corporations of a new chip and related software that will allow the recording and play-back on a computer monitor of brief cine segments. This appears to be the final part of the components needed to store and retrieve a comprehensive medical record, including all the types of records we have just described.
158
JOHN M. LONG
2.3.2 Managing the Medical Information Explosion There are several dimensions to the information explosion relevant to clinical practice. The medical records of individual patients is the major dimension. Doctors also need to keep up with relevant changes in medical knowledge. Huge databases of highly relevant medical knowledge are widely available, including those provided by the National Library of Medicine. The library provides on-line retrieval of the title, author, key words, and abstract of virtually all medical research articles published in the world today. The system’s evolution is continuing. In addition to medical literature, there are medical records, medical research databases, insurance records, peer review data, disease registries, and pharmacy information. Patient care protocols and on-line interactive consultations are among the more recently offered information databases.
3. Special Issues in Medical Computing 3.1
Legal and Ethical Issues
There are certain risks associated with the use of computers in clinical medicine including a number of important legal and ethical issues.
3.1.1 Privacy and Security Privacy is essentially an ethical issue. In the context of computers, it arises primarily in relation to automated medical records. Security is an issue that concerns the physical protection of sensitive medical databases. The privacy issue is certainly not a new one. The patient-physician relationship has been well established for many years. Strong legal and ethical forces have provided reasonable protection to the patient and physician while sometimes allowing society to intrude in order to take care of certain overriding needs (for example, reporting communicable diseases). The principal way in which automated medical records may disrupt these well-established procedures is by making it much easier to obtain patient records. Automated records are, of necessity, better organized and more easily retrievable. There are no magic ways to maintain the security of automated medical databases. Ordinary common-sense precautions are best. An on-line system that exposes confidential records to a public communications network makes the data highly vulnerable not only to computer hackers but to individuals who are more serious in wishing to exploit the data and harm
COMPUTER-BASED MEDICAL SYSTEMS
159
both the physician and his or her patients. Such confidential data should not be placed on-line in a public network. When medical records are kept off-line (that is, not connected into a public communications network), the security which is needed is no different than that needed to protect manual systems.
3.1.2 Computer-Related Illnesses As automation increases there will be more patients with computerrelated complaints. Much has been written concerning medical complaints caused by extensive computer terminal usage. Eye strain and painful neck, wrist, and shoulders are frequent complaints of terminal operators. When these situations are encountered, certain adjustments can be made. CRT screens that are designed to reduce glare are available. Terminals that are adjustable in terms of distance, angle, and heights of both the monitor and keyboard may be selected. Indirect lighting may be reduced and ergonomically designed chairs introduced. The Department of Labor has examined the overall effect of office automation on workers as has the Rand Corporation. These reports emphasize that proper planning, physical working conditions, and thorough training can and should increase job satisfaction. So far, there is no conclusive data that video display terminals emit harmful radiation. Nonetheless, certain labor unions representing terminal operators keep raising this issue. Computers can create anxiety and stress, an issue with medical overtones. A major cause of anxiety and stress results from worker displacement and unemployment caused by automation. Automation has resulted in a significant displacement of workers in the communications, insurance, printing, and banking industries. More displacements are coming.
3.2 Validation, Regulation, and Standardization: A Dilemma How to control computer-based medical products and services is controversial but important to all practicing physicians because these products and services are significantly influencing the way medicine is practiced. Many medical devices now have embedded computers. Laboratory equipment, ECG carts, and most modern radiological devices all have computers built into them. Other medical products, such as automated medical records systems and medical expert systems, consist almost entirely of computer programs, that is, computer software. Standards are needed for computer-based medical systems so as to
160
JOHN M. LONG
facilitate the exchange of information and reduce the cost of medical computing software and hardware. Consider the value of a standard insurance claim form. This standard form has simplified office procedures and, most importantly, made it possible to prepare and produce claims automatically. The need for regulation of computer-based medical products and services is founded on a different concept. We generally accept the fact that regulation of drugs and medical devices is a legitimate function of government. As computer-based medical products become more and more directly involved in the clinical aspects of medicine, it is natural to expect that these computer-based products and services must also be regulated. Validation of these types of products and services is also a critical issue. In the validation process we determine whether software and/or hardware performs as claimed. Validation concerns have serious legal and ethical implications. For example, suppose a physician relies on a computer program to calculate the radiation dosage for a cancer patient. If, as has already occurred, the program provides an incorrect answer, who is held accountable? No doubt about it, the physician certainly is! Does the company who sold the program or the computer manufacturer share that liability? They probable do. Dozens of similar situations exist today and hundreds more are coming. Medicine is confronting a dilemma. Medical software validation procedures are not established. Regulations, it would appear, depend on good validation procedures.Very few of the standards needed for medical software exist. The physician is faced with the need to automate in an environment that has few needed controls. Caution, with a heavy dose of common sense, can go a long way toward keeping automation projects moving in the right direction. Above all, one must never abandon good standard management practices. This obvious piece of advice has not been followed in a number of medical automation projects. Because the validation of medical software is very limited at the present time and regulations are virtually nonexistent, the physician must ultimately rely on his or her own professional judgment when using medical software. If a program provides clinical advice, the doctor has to be concerned with the program’s validity and, possibly, also with regulatory issues. Use these systems only if the basis for the advice is understood and accepted. Hardware standards apply more generally to areas besides medicine and are fairly well established. Thus, considerations regarding computer hardware are less complex and similar to those for users generally. The one exception is computer hardware embedded in a medical device. The previously mentioned error in calculating a radiation dose was done on an embedded computer.
COMPUTER-BASED MEDICAL SYSTEMS
4.
4.1
161
A Review of Computer-Based Medical Systems Automated Medical Records Systems: Problems and Opportunities
From the beginning, when people first began to think of using computers in medicine, automation of medical records was considered. As stated earlier, it is a key element of many computer-based medical systems. One might have expected it to be among the first things in medicine to be automated. This has not been the case. Some automation of medical records did occur. Hospitals emphasized the automation of those aspects of the record needed to automate billing. Some doctors’ offices also have a similar level of automation, but progress has been very slow. Over the years, a few people have persisted in their efforts to automate medical records. Studney reported on a w paper less^' office experiment in 1981. Another example, the work of Weed and others, stands out in this regard (Weed, 1975; Wakefield, 1983). Weed worked first to change the record to a rational format so it could be automated and then developed a way of doing this sensibly and efficiently. On-line records of medical and other sensitive data create serious problems related to security and privacy. A reasonably intelligent, creative, and persistent snoop probably could break into the areas of the record containing confidential data. Although the same can be said about manual medical records, it is important to recognize that placing medical records in computers and then hooking the computers into communications networks exacerbates the privacy issue. Many standards must be established before automated lifetime medical records can be used widely in our modern mobile society. Standards must be developed for both the automated medical record format as well as for the technical components of the system. Format standards should deal with the organization of the data, not the content. The medical profession will not accept the latter except in a limited context. Technical standards include such items as reading and writing methods, record size, the size of memory, and the location of these items in the record. The equipment to be placed in the physicians’ offices, in hospitals, emergency rooms, pharmacies, and elsewhere also needs to be standardized. Standardized procedures for the transmission of patient data are also needed. Procedures must specify what subgroup of the record can be transmitted to other doctors, insurance carriers, health departments, research studies, and the like. Standards are needed to determine the critical subset to be included on a personal health record card; possibilities include chronic problems, current medications, contraindicated medications, and related data.
162
JOHN M. LONG
Virtually every member of society has a vested interest in allowing controlled access to his or her medical data. Of immediate concern to the patient is the need to share data with his or her physician and other health care professionals involved in providing care. Every member of society also has a vested interest in sharing in a controlled way his or her health experiences with society as a whole. Health experiences of interest and use to society include the nature and frequency of illness, treatments used, and results. By far the most common method today for entering a patient’s history into a computer is to collect the data on forms and subsequently enter the data into a computer. This method is also almost universally used to enter other patient data collected by physicians and other staff members who use standard encounter forms. Attempts to develop systems in which the physician enters data directly into the computer have been generally unsuccessful. Systems that allow the patient to enter his or her history data directly into a computer have been successful but are not widely used. There are many advantages to automating the data entry process for an automated medical records system. 1. Results are entered on-line directly into the computer by the patient, eliminating the need for a staff person to do so at a later time. Research has shown that patients will respond positively to a properly designed system (Solomon, 1985). 2. The best way to ask a question can be carefully constructed. The same question can be asked several times and in several ways, providing more reliable data. 3. The computer can ask appropriate follow-up questions depending on the patient’s previous answers and can probe further when needed, using various branchings within the automated questionnaire itself. 4. Results go directly into the computer as a component of an automated medical record. 5 . Finally, the results can be tabulated and summarized by the system, producing an efficient and concise summary.
An automated system need not be entirely impersonal. It can use dialogue. Questions can be framed in a personalized way, such as inserting the person’s name or using the child’s name when a parent is answering for a child. It can eliminate female-only questions if the person is a male and vice versa.
4.2
Clinical Assessment and Risk Evaluation
This is a somewhat arbitrary classification for a broad area of computer applications in medicine. Clinical Assessment and Risk Evaluation (CARE)
COMPUTER-BASED MEDICAL SYSTEMS
163
covers such applications as using a computer to predict blood pressure variability in pregnancy, management of a transplantation unit of a hospital, the description and representation of ECG structures, and epigastric impedance measurements for the assessment of gastric emptying and motility. Computerized methods of analyzing EEG signals are common. Computers are used to calculate trend analyses in intensive-care units in real time. Everything from the prediction of the chronobiologic index for neonatal cardiovascular risk to modeling an artificial heart has been attempted. Computer-aided impedance cardiology is used to detect ischemic responses during treadmill exercise. A computerized remote control for an implantable urinary prosthesis has been developed. Pulmonary blood circulation has been modeled on a computer. A computer program to diagnose chest pain has been developed to the point where a clinical trial has been proposed. Medical diagnosis has been extensively subjected to computer analyses. Various techniques have been developed, including expert systems designed to improve diagnoses. Patient management has been enhanced by computers. Automated medical records, discussed elsewhere, is a major component of patient management, but there are other areas. Nursing workloads and the scheduling of equipment are managed by computers. Computers are used to manage supplies and control drug delivery and usage. The accuracy of patient care is enhanced by the use of computers. For example, drug administration can be monitored in such a way as to increase accuracy (correct drug, correct dose) and timing. The uses seem almost limitless.
4.3 Imaging Systems Computers are transforming radiology into a filmless system. The technology now exists to replace most if not all film-based radiology. Probably the most important reasons why there is any film use today are tradition, resistance to change, and the need to continue to use expensive equipment until it can be charged off. In the long run there seems to be little reason not to change. Filmless radiology is so logical. Film storage and handling has always been a problem. Digital images are stored internally in a computer and can be called up on a remote screen as needed. Indeed two people in locations many miles apart can view the same image and conduct a consultation. Digital imaging using computers makes possible threedimensional reconstruction of internal organs. As techniques improve it will be possible to observe smaller and smaller segments of normal or abnormal body parts such as small brain tumors. The transformation of radiological techniques by computers is truly phenomenal.
164
JOHN M. LONG
Literature in the field has exploded. In recent years, computer-based medical conferences have been inundated with papers reporting on research in this area. Only a few of them are included in the papers references since other publications provide extensive coverage. Several large conferences, such as the European-based Computer-Aided Radiology (CAR) conference, are devoted exclusively to this area.
4.4 Medical Devices Modern medicine depends on many medical devices that are either computer-based or include an embedded computer. They are often taken for granted. No one, for example, in an operating room during open-heart surgery thinks about the real-time performance of a half-dozen or so on-board processors using thousands of lines of code within them. Nonetheless, their reliability and accuracy are critical to the surgery. Manufacturers of computer-based medical devices face special commercialization challenges, not the least of which is to demonstrate that the system is safe and performs as intended. In a recent article Kriewall and Long (1991) described a cochlear implant device that can be tested only by surgically implanting the device into a human. Another type of device is a nuclear therapy machine. For this device controls must be designed to prevent the operator from administering an overdose. Regulations are expected to assure that medical devices are reliable and safe. As previously discussed, the FDA is attempting to do this with limited success. Reliability and quality in medical devices involves both fault-tolerant hardware and accurate software. The design and implementation cycle for medical devices must consider the potential for medical malpractice at all stages. The number of malpractice suits related to devices has increased dramatically in the past few years and this trend will continue. Malpractice considerations are dramatically affecting the design procedures of medical instruments. In 1990, Congress passed the Safe Medical Devices Act. It represents the government’s effort to shore up the ability of the FDA to regulate medical devices by broadening its control. Legislation and regulations designed to control drugs, the traditional areas for the FDA, are often either not applicable to medical devices or apply to them in an awkward way. Medical software has also come under closer scrutiny. The FDA has issued directives that attempt to define good manufacturing practice in the development of medical software. More and more often, software is replacing hardware in devices because it is more easily changed and has greater functionality than hardware. Techniques for fault-tolerant software are being developed. Multiversion software techniques are used to improve accuracy. These techniques include
COMPUTER-BASED MEDICAL SYSTEMS
165
N-version programming that requires a consensus “vote” to determine the “correct” outputs. A Recovery Block method uses an acceptance test to judge the correct output. A hybrid method combining the two is called a Consensus Recovery Block. Reliability engineering involves the use of a variety of tools to specify, predict, design, test, and demonstrate the function of a device. These tools are used in many application areas but take on a special significance when applied to medical devices. Quality concerns must also be dealt with. Medical software applications introduce unique problems. An alternative to the FDA’s way of monitoring software has been introduced by the International Standards Organization, called I S 0 9OOO. There is also a very practical side to quality concerns, such as cost controls and market needs. Quality must be a part of every step of the development cycle, beginning with understanding customer requirements, converting these requirements into equivalent engineering specifications, hazard analyses of the functional prototype, and testing under normal and reasonably expected abusive conditions. As reflected in our extensive reference list on medical devices, there are many development efforts for medical devices that use computer technology. Application areas range from an eye monitor, an implantable telemetry system, and an orthopedic implant, to a closed-loop drug delivery system, as well as various intensive-care and other patient monitoring devices. Many of the devices reported in the public literature have been developed in an academic research environment. A great deal of the really interesting work on medical devices remains confidential because of their commercial value.
5. Artificial Intelligence in Medicine Artificial intelligence (AI) is a technical area of computer science that has much relevance in clinical medicine. Expert systems and artificial neural systems are especially relevant to any discussion of computer-based medical systems. Among the very first A1 applications were those in medicine. An expert system called INTERNIST and another called MYCIN are two early and frequently cited medical applications of A1 (Miller et al., 1982; Shortliffe et al., 1975). INTERNIST was initiated by a good diagnostician in an effort to record his expertise more completely than he could using conventional forms of written communication. The project continues (Miller et al., 1985; Miller et al., 1986). MYCIN received wide publicity and inspired a number of additional medical projects using rule-based expert systems. Some of
166
JOHN M . LONG
these other applications have reached clinical use in limited settings, although, ironically, it appears that MYCIN has not (Kunz et al., 1978). An early text on expert systems listed over 50 medical expert systems (Waterman, 1986). The journal MD Computing devoted an issue to expert systems which introduced three of them (Miller et al., 1986; Kingsland et al., 1986; Tuhrim and Reggia, 1986). These systems remain essentially in academic settings. Systems have been used to enhance clinical research (Long et al., 1987). There are several reasons for the wide experimentation with artificial intelligence in medicine. A1 systems can manipulate symbolic knowledge, that is, knowledge expressed in symbols (e.g., words), making possible the automation of systems that deal with medical concepts which cannot be expressed numerically. A few, albeit quite simple, techniques have been developed that allow one to program a computer so as to imitate the kind of subjective judgmental reasoning that is used by doctors when they are practicing their profession. Expert reasoning is based on experience that often cannot be reduced to a conventional algorithm. Medical applications are especially popular in A1 because the diagnostic and other reasoning processes of medicine, while highly complex and somewhat subjective, do follow an intelligent rational path based on reasonably well-defined practices and a body of knowledge. Medical diagnoses and other medical decision-making processes are often “fuzzy.” Expert systems allow for the uncertainty that is inherent in clinical judgment. Heuristic rules can approximate the reasoning process actually followed by a clinician. Artificial neural systems (ANS), another area of A1 closely associated with medicine, are themselves inspired by the human neural system and attempt in a simplistic way to imitate it. Artificial neural systems have been developed that can be trained to think and “learn.”
5.1
Expert Systems
5.1.1 Overview Almost anywhere today one can find articles about expert systems. This rather specialized branch of computer science is not new. Although it has only recently emerged from academia, it goes back to the 1960s when there was a major effort to use computers to translate from one language to another, especially from Russian to English. Although there has been some progress, a workable computer translation system is still far from realization today. However, as is usually the case, some very useful and practical applications have evolved from this general research area.
COMPUTER-BASED MEDICAL SYSTEMS
167
Expert systems are a part of a branch of computer science called Artificial Intelligence or simply AI. The name, “artificial intelligence,” conjures up negative feelings for many people. Some prefer to use the term “machine learning.” Artificial intelligence is that area of computer science that attempts to build systems which can imitate intelligent human-like processes. The field is broad and includes, besides expert systems and artificial neural systems, robotics, voice recognition and computer vision systems, and natural language research. There are several reasons for all of this activity related to the use of expert systems in medicine. 1. There is a new understanding that computers can manipulate symbols as well as numbers. Computers used to be thought of as “number crunchers. ” Numbers were used to code virtually all symbolic information, such as names and categories. Computer printouts had to be decoded. Advances in computer systems over the years, in both hardware and software, now facilitate the storage and manipulation of symbolic knowledge such as English words. This allows computers to work with medical concepts that cannot be reduced to numbers. 2. A few, albeit quite simple, techniques have been developed that allow one to program a computer to imitate the kind of subjective judgmental reasoning that is used by experts, such as doctors, when they are practicing their profession. Such reasoning is often based upon experience that either cannot or has not been reduced to a conventional written form. Expert systems provide a means of recording certain kinds of knowledge that has not been recorded in any other way. 3. There has been a continual decrease in computer costs. The costs of the large computer capacity required to record and manipulate the symbolic knowledge needed by expert systems is now low enough as to make them feasible. Costs are hundreds and thousands instead of millions of dollars. 4. Computers have become “user friendly.” They are relatively easy to use and are accepted and used by many physicians. This allows clinical experts who know little or nothing about computers to be more intimately involved in the process. 5 . Medical applications are especially popular in A1 because the diagnostic and other reasoning processes of medicine, while highly complex and somewhat subjective, follow an intelligent rational path based on reasonably well-defined practices and a body of scientific knowledge. 6 . Most medical decision-making processes like diagnosing and treatment selection are inexact. The heuristic programming methods of A1 are
168
JOHN M. LONG
especially suited to such problems. Expert systems allow for the uncertainty that is inherent in clinical judgment. The heuristic rules of A1 can approximate the reasoning process actually followed by a clinician.
5.1.2 What Is an Expert System? Expert systems technology uses a totally different approach to the design of computer-based programs. The value of this approach is based on two very important elements not found in conventional computer programs. The programs incorporate and use nonnumerical knowledge about the specific application area of the system. They also operate with incomplete information and arrive at the best solution possible under the circumstances in much the same way that human experts would do under similar conditions. Two components of the system are especially important: the knowledge base and the inference engine. The knowledge base contains the background of clinical knowledge that is needed to work with individual clinical cases. Conventional computer programs contain only the defined and predetermined programming steps that are used to manipulate data. The inference engine is that part of the computer program that would, for instance, analyze data from an individual patient using general clinical knowledge contained in the knowledge base. The expert system uses methods, usually in the form of rules, that are roughly equivalent to heuristic human-like thought. Conventional computer programs use only predetermined and pre-set algorithmic methods. In expert systems, the knowledge stored is primarily symbolic (that is, nonnumeric) in the form of rules, attributes, and frames of related facts that represent the known and relevant information about the clinical topic it covers. An expert system is engineered to imitate the methodology and rationale of an expert. It is based on the expert’s experience and goes beyond knowledge that can be found in books. These experimental methods are called heuristics or “rules of thumb.” By their very nature expert systems are capable of explaining the reasoning process used to arrive at a conclusion. This is especially important in medical practice, because it makes it possible for physicians who use them to check the validity of, and have confidence in, the results. Systems have been built that attempt to imitate a medical expert in diagnosing, in consulting, when examining a large database for new medical knowledge, and when analyzing clinical data when clinical judgment is required (Miller et al., 1982; Shortliffe et al., 1975; Waterman, 1986; Long et al., 1987). The latter effort is especially relevant in clinical trials and other areas of clinical research that rely heavily on clinical judgment for the analysis of data.
COMPUTER-BASED MEDICAL SYSTEMS
169
Using a broad definition, any computer-based system designed to imitate the intellectual processes of an expert can be called an expert system. Using this definition for example, programs written in the 1960s to analyze electrocardiograms are expert systems. Many articles written in medically oriented publications seem to adopt this broad definition. Most computer scientists would probably not accept such a definition. Those working in the A1 area probably prefer to use a narrow technical definition. They would be more apt to define expert systems as systems that are built using the techniques of A1 and developed (though not necessarily operated) in one of the A1 computer languages such as LISP (for LISt Processing) or PROLOG. Techniques of A1 include such methods as the use of rules and frames to represent knowledge and the use of A1 inferencing techniques t o maneuver through the system (for example, in backward and forward chaining) to reach a goal. The author favors the latter definition. If one uses the broader definition one may conclude that some of the commercial systems now on the market are expert systems. Using the narrower definition, it is doubtful that any of the commercial products offered today are true expert systems.
5. 1.3 Examples of Medical Expert Systems Current expert system projects in medicine cover a broad range. Expert systems have been built as an aid in diagnosis, consulting, discovery of new medical knowledge, and the analysis of clinical data when clinical judgment is essential (Miller et al., 1982; Shortliffe, 1975; Kunz, 1978; Waterman, 1986; Blum, 1982; Long et al., 1987). It seems clear that the following are the broad areas where medical expert systems will first be introduced into clinical practice. (a) Diagnostic Aids. Diagnostic aids based on A1 technology that are now coming on the market can do several things. First, they make it less likely that a doctor will miss a diagnosis because of a lapse of memory. Humans tend to see things in their current context (X is going around or is common in the practice so X comes to mind), whereas an expert system will consistently follow its own rules in order to consider all options and reach a consistent conclusion. Also, a properly designed expert system will allow a doctor to research cases more easily by cutting through the volumes of data available to get at the relevant cases. (b) Drug Evaluation and Selection. The Physician’s Desk Reference is now available on-line in doctors’ offices. A true expert system can go well beyond this and provide, for example, the added feature of helping one move quickly to relevant issues.
170
JOHN M. LONG
(c) Consultations. Certain types of data that are normally acquired by a consultation can be programmed into an expert system. To a large extent, this amounts to recording in a more usable format information which could be otherwise found by calling a specialist or through a literature search. Some of these automated consultations will point to the relevant literature. Consultants, the human kind, are not going to be replaced by these systems, but a properly designed expert system, whose knowledge engineering is based on the knowledge and experience of the best clinical experts, can do far more than many doctors realize. (d) Treatment Protocol Selection. Cancer treatment represents a good example of how an expert system can be used to help a doctor select the best treatment protocol. To assist doctors with the huge volume of data involved the National Cancer Institute has licensed BRUSaunders to offer a system called PDQ (Physician’s Data Query). Another system dealing with birth defects that operates in a way similar to PDQ is also commercially available. (e) Clinical Data Analyses and Summaries. From a practical standpoint for the practicing physician, an expert system which could produce a condensation and summary of a set of data relevant to a certain patient would be very useful. When available, these systems will assimilate and summarize for the physician the large volumes of data that have been collected on patients in an intelligent and useful way. It has been shown that patient care can be just as good when the physician uses such a summary as when the physician tries to use the entire medical record (Whiting-O’Keefe et al., 1985). (f) Continuing Medical Education. Continuing medical education is needed by both physicians and patients. Expert systems can enhance and improve computer-based education. Computer-based interactive courses using expert system technology represent an excellent alternative to texts (tedious) and courses (expensive). The possibilities are very interesting. The same basic course can be tailored automatically to the specific needs of each individual. Educating patients on how to care for themselves is also important for a variety of reasons, including cost containment. Patient and family member training in ways of living with chronic diseases, such as diabetes and heart disease, is especially important. When expert systems technology is combined with the new high-capacity laser-disk storage technology, courses can include a variety of new teaching techniques, such as color video sequences that demonstrate how to do special procedures. Expert systems provide a quantitative
COMPUTER-BASED MEDICAL SYSTEMS
171
leap over texts in teaching effectiveness and can approach the effectiveness of the “real thing.” The potential use of expert systems in medicine is quite broad and many of these uses promise to be valuable. There is an important missing link. It is the lack of adequate standards and validation procedures for them. Ultimately, something comparable to the regulatory mechanisms of the Food and Drug Administration (FDA) seems to be needed.
5.1.4 An Example of How Expert Systems Are Built Here is an example of how one expert system was built. It was designed to analyze clinical trial data where the analyses required the use of clinical judgment. This small expert system was built in order to test the methodology. It assesses the data obtained from a pair of serial gradedexercise ECG tests and duplicates the decision reached by a cardiologist regarding changes in patient performance (Long et al., 1987). An abbreviated glossary of A1 terms used to describe the development process can be found in Table I. The basic steps for building the expert system are to develop the knowledge base and to select (and modify, if required) the inference engine. Alternatively, one could custom build the inference engine, an option not considered. The knowledge base contains the rules and facts that fuel the inference engine. The inference engine is that part of the system that interprets the rules and facts as it runs the system. For the system reported here, one domain expert, a cardiologist, worked with the knowledge engineer to transfer his knowledge into the expert system. A fully developed system would need to use additional input from this cardiologist and other cardiologists as well. A development tool, called AGNESS (A Generalized Network-based Expert System Shell) was used to build the system (Slagle et al., 1986). AGNESS was developed using the specialized programming language used by many people working in artificial intelligence, especially in the United States, called LISP (for LISt Processing). The rules were developed to approximate that used by a clinician when evaluating the same basic clinical data. This was accomplished through an interactive process in which the knowledge engineer and expert met to discuss and analyze sample problems. The domain (clinical) expert verbalized his thought processes as he worked through a set of problems. He explained the factual knowledge he used from scientific literature, often citing results of research performed by himself and others. It is especially important to note that he also used and explained, as best he could, the
172
JOHN M. LONG TABLEI ABBREVIATED GLOSSARY OF A1 TERMS
Antecedent: The first part of a rule clause containing a pattern or attribute that must be matched. If the antecedent of a rule being tested is true, the consequent (or action) of the rule is evaluated. Also called the premise. The “IF” part of a rule. Arc: A method of connecting nodes that implies relationships. Attribute: A feature or property of an object. Backward chaining: An expert system control procedure that starts reasoning from a goal and works backward toward preconditions. Consequent: The “THEN” part of a rule, which contains the conclusion function(s) to be evaluated if the antecedent or premise is true. Also called the action. Domain: The problem area whose solution is addressed by the knowledge base and the inference engine. Domain expert: A human expert in the problem area who helps the knowledge engineer build the knowledge base and rules. Expert system: A software program that infers a solution to a problem in a particular area of expertise using a human-like reasoning process including heuristic reasoning. Forward chaining: An expert system control procedure that works from subgoals or preconditions toward the main goal by applying rules. Frame: A knowledge representation method that associates features with nodes representing concepts or objects. The features are described in terms of attributes (called slots) and their values. Heuristic: A technique or assumption that is not formal knowledge, but which aids in finding the solution to a problem. A rule of thumb or clue as to how to carry out the task. Inference: A reasoning step or hypothesis based on current knowledge; a deduction. Inference engine: The part of the expert system that infers a solution to a problem by applying the rules and facts in the knowledge base to the problem. Knowledge base: The computer representation of the domain expert’s knowledge. Contains parameters (facts), rules, and user-defined functions. Knowledge engineer: The person who specializes in designing and building expert systems by formalizing information gain from the domain expert. LISP: A programming language for procedure-oriented representation that is often used in artificial intelligence. The acronym comes from LISt Processing. LISP machine: Computers with architectures specifically configured to execute symbolic processing software coded in LISP. Natural language: The conventional method of exchanging information between people; English. Node: A place in the network where a piece of information or a value or a function is located. Prolog: A programming language for logic-based representation that is often used in artificial intelligence. Rule: A combination of facts, functions, and certainty factors in the form of an antecedent (premise) and a consequent (action), as in an “IF.. . THEN” sentence. Semantic network: A knowledge representation method consisting of a network of nodes standing for concepts or objects, connected by arcs describing relations between the nodes. Workstation: An A1 workstation is a microcomputer that is specifically designed to accommodate the development of expert systems and other work in artificial intelligence. It may involve both the architecture (hardware) of the computer as well as the software it uses, including a LISP compiler and other software aids.
COMPUTER-BASED MEDICAL SYSTEMS
173
“rules of thumb” or heuristics that he found helpful. Heuristics are based on experience rather than upon book knowledge and their incorporation into the system is one of the unique reasons why expert systems work. As these sessions progressed, the knowledge engineer formulated, modified, discarded, replaced, and expanded the rules used by the domain expert, either stated or implied. The computer version of the rules are often of the “IF.. .THEN” type. The IF part, called the antecedent (or premise), contains the pattern or attributes that must be matched for the rules to be used. The THEN part, called the consequent, contains the action to be taken or the assertion to be made when the antecedent is satisfied. A set of representative cases were carefully selected so as to present to the expert a variety of typical situations and to stimulate explanations by the clinician as to what he was doing to solve the case. Each of the sessions between the engineer and the expert were tape recorded and later analyzed by the knowledge engineer in order to extract and define the rules for the expert system. The resulting expert system was tested on a set of 100 cases in order to validate the system. The cases were selected to be representative of all the different types of results. Each of the cases was evaluated individually by two different members of a panel of five expert cardiologists. The 100 pairs of tests were evaluated in such a way that each reader’s cases within a group were equally distributed among the other four readers for the other reading. We then examined the conclusions made by the expert system to determine how the rules were working; that is, how well they matched the individual cardiologists’ evaluations. A third method was also used. The 100 cases were evaluated using multiple linear regression equations. It is interesting to note that several of the variables used in the multiple regression equation had obscure clinical meanings. When the pairs of tests were evaluated by either of the two cardiologists, or by the expert system, or by the multiple regression equation, the conclusion was whether or not a patient’s result was better or worse from the first to the second test using the following seven-point scale: 1 = muchworse
2 3
worse slightly worse nochange slightly better 6 = better 7 = much better
= = 4 = 5 =
The three methods for evaluating the test data were compared in two different ways as to how well they agreed with the cardiologists. “Exact”
174
JOHN M. LONG
agreement meant that the same point on the seven-point scale was used as the conclusion for both of the evaluations being compared. Agreement “within a single category” meant that the two evaluations used the same or immediately adjacent category of the seven-point scale. That is, the absolute value of the difference between the two evaluations was 1 or 0. The comparisons were made based on the percentage of agreement of the cardiologists among themselves, with the expert system, and with the multiple regression equation, respectively. Table I1 summarizes the average results. For “exact” agreement the expert system agreed with the cardiologists about as well as the cardiologists agreed among themselves. They agreed with themselves 41.O% of the time and with the expert system 41.7% of the time. The expert system did much better than the multiple regression equations, which agreed with the cardiologist 34.0% of the time. For agreement “within a single category,” the expert system performed best. It agreed with the cardiologists 83.5% of the time. The multiple regression equations’ evaluations, at 81.5%, did better than the cardiologists who agreed among themselves “within a single category” 76.0% of the time. After making allowance for normal variation, it was concluded that even a very basic expert system can evaluate serial graded-exercise ECG test data about as well as, and may actually perform better than, either the individual cardiologists or multiple regression equations.
5.1.5 Strengths and Weaknesses of Expert Systems The experimental expert system did very well when it is considered that it was designed using the knowledge input of just one cardiologist and using only a limited number of iterations of the knowledge engineering process. The purpose of developing the expert system was to examine the ability of such an expert system to provide clinical researchers with a new tool to TABLE 11 AVERAGE CARDIOLOGISTS’ READINGS COMPARED AMONG THEMSELVES, TO MULTPLE REGRESSIONEQUATIONS, AND TO THE EXPERT SYSTEM
Exact Within a single category
Card. vs Card.
Card. vs Reg. Eq.
Card. vs Expert System
42.0% 76.0%
34.0% 81.5%
41.7% 83.5%
COMPUTER-BASED MEDICAL SYSTEMS
175
evaluate clinical research data when clinical judgment is an important element in the evaluation. This simple purpose was accomplished. It is interesting that the expert system matched or slightly improved upon the performance of the statistical method. This may be because the analysis of serial data includes a strong component of clinical judgment which is more easily accommodated by an expert system. This does not imply that expert systems can replace statistical methods. Indeed, they cannot! However, there are a number of situations, such as the serial evaluation of graded exercise ECG test data, where expert systems can be used to improve upon and automate the process. The point is that expert systems provide an additional analytical tool for clinical research studies, especially clinical trials. Sometimes expert systems will work better than statistical methods alone. There are times when it would appear to be inappropriate to use an expert system (e.g., where clinically meaningful and objective measurements can be obtained). A not uncommon situation might involve the use of some combination of the two approaches. For the evaluation of serial clinical data such as graded exercise ECG test data, it appears that a fully developed expert system will provide clinical researchers with more information than can be obtained from conventional statistical methods such as multiple regression. Furthermore, expert systems are far more efficient and practical than individual experts or a panel of experts for evaluating data, provided there are a large enough number of clinical comparisons to justify the development costs. The cost to develop and use expert systems appears to be reasonable. This is especially true now that expert system development shells such as AGNESS are widely available. The prototype expert system reported here was developed using about ten hours of a cardiologist’s time and 100 hours of the knowledge engineer’s time, including about 50 hours on an A1 workstation. There is another point to be made regarding the use of expert systems. This involves the need to use analytical methods that are clinically meaningful. Expert systems, by their nature, have this. In the demonstration project some of the variables used by the multiple regression equations for prediction had clinically obscure meanings. The cardiologists were not especially comfortable with this situation. They also felt that the statistical method used too little of the clinical data available (that is, too few of the variables were employed). There is still another benefit to be gained from the development of expert system. Even though the focus of the project was to test expert systems for the analysis of clinical trials data, and not on how to evaluate ECGs, the knowledge engineering process added to the knowledge and understanding of the mental processes cardiologists use in assessing serial graded exercise ECGs.
176
JOHN M. LONG
The expert system that has been described demonstrates that these systems can automate the analysis of some clinical trial data and other types of serial clinical research data. This is a new and different way to use expert systems in medicine. Clinical research projects can use expert systems to automate these types of analyses, thereby relieving the professional and/or technical staff of the rote processes now commonly used to analyze these types of clinical data. This can be done without sacrificing the amount of information derived from the data, which could be the case if conventional statistical methods are used.
5.1.6 Current Status of Medical Expert Systems As demonstrated, expert systems will work for certain types of welldefined projects, such as the serial assessment of clinical trial data that require clinical judgment in its assessment. The question remains as to how far one might be able to go using this new technology. Almost none of the medical expert systems built so far have been used in a real-world clinical setting. Those that have been used in a clinical setting have been used only in the clinical setting where they were developed. HELP (Health Evaluation through Logical Processing) may be one of the rare exceptions; developed by a team headed by Homer Warner and marketed by Control Data Healthcare Systems, it has been installed in several hospitals. As it stands today, there are some serious drawbacks to using expert systems in clinical practice. There are some important missing links. Perhaps the most important ones are the lack of adequate standards and validation procedures. It is possible that something comparable to the regulatory procedure used for the control of drugs by the United States Food and Drug Administration is needed for these expert systems. The subject is controversial. Testimony before the United States Congress in April of 1986 brought forth several people who objected to governmental control of this newly emerging technology. Those opposed to government regulations do so because they feel regulations will squelch a very fluid and truly creative and exciting new area in medicine (McDonald, 1986). They further feel physicians do not need them since they are intelligent enough to judge the systems for themselves and have the training and experience to use them in an appropriate way. They contend that expert systems are simply a new and advanced way of recording and retrieving knowledge similar to the way it is done using books and journals. Medical publishing is not controlled by the government and does not need to be, nor do expert systems, they contend. Resolution of the controversy may depend upon whether expert systems will be considered an extension of the publishing medium or a new medical device that must be controlled. It is this author’s
COMPUTER-BASED MEDICAL SYSTEMS
177
opinion that expert systems can and will eventually go far beyond that of published materials in influencing and directing clinical practice. Government regulation of expert systems is inevitable. It is only a matter of time and will probably occur in the not too distant future. Those of us who wish to build and/or use expert systems in clinical practice need to be concerned about these matters. Fortunately, for those who wish to use expert systems for data analysis in clinical trials and other clinical research areas, the problems related to clinical practice do not apply. This group of users can devote their energies to the fundamentals of building and using expert systems. The two aspects in the development of them that need attention relate to knowledge representation and inferencing techniques. Methods of knowledge representation are under intensive research. Perhaps the most fundamental and surprisingly simple contribution of this research so far is the IF-THEN format for the representation of knowledge. Semantic networks allow rules to be built into causal chains that allow a “deeper” level of knowledge representation. These tools work quite well for building a system for a limited and well-defined problem such as the one described in this article. Current methodology for building expert systems generally provides for fairly complete separation of the knowledge base and the inference engine. For most practical applications today, the use of inference engines and expert system shells, such as those we used for the demonstration project, would appear to be the way to go. There are several excellent reviews of the field (Waterman, 1986; Shortliffe et al., 1990).
6. Concluding Remarks 6.1 A Brief Look Toward the Future This chapter covers, as well as the author is able to do, the revolution (the term is used advisedly) that is being brought about in medicine because of the technological developments related to the merger of the computer and communications, that is, information age medicine. We call the related systems computer-based medical systems (CBMS). The pace of the revolution has been quite deliberate, as one would expect in the healing profession. Among the earliest applications, beginning in the early 1960s, were the automation of electrocardiographic data analyses and laboratory quality-control systems. Medical records automation, initially related to billing and inventory control, were also attempted at about the same time. However, it was not until the rise of the personal computer that
178
JOHN M. LONG
the private practice physician began t o pay serious attention to computers as they relate to clinical medicine. Certain specialties adapted to computing early. Radiology entered the computer age early using computer axial tomography (CAT) scanners. This was followed by magnetic resonance imaging and, currently, digital imaging of general radiology. Filmless radiology seems inevitable in the not too distant future. As the medical records system becomes more completely automated, medicine will be able to move to a more advanced state of information age medicine. Because of the existence of these records, statistical analyses can be used to manage public health, including such items as the comprehensive evaluation of patient care protocols, of drugs, and of the long-term outcomes of treatment among other statistical evaluations. For example, cost-effective treatments can be identified. Comprehensive care over a lifetime can become a reality. Both macro and micro management can be improved. A new kind of medical professional, perhaps called a “medical information specialist,” is apt to emerge. In a more personal context, patients can be responsible for, and more in control of, their individual health. In addition to the comprehensive personal patient data on each patient, a physician also has direct access to virtually all relevant medical knowledge through the doctor’s desktop computer. With the advent of multimedia systems, the doctor can also call up and observe x-rays, coronary angiograms, color slides, and other laboratory data as well as text material. In the not too distant future, without leaving his desk a doctor might feed certain parameters, such as vital signs and symptoms and laboratory data, into a desktop computer and receive in return suggested patient care protocols, including drug regimens. The feedback will include appropriate literature references and other background material, such as contraindicated medications, potential side effects, alternative treatment regimens, and how and when to seek a consult. Computer-based medical systems also offer interesting possibilities for patient education and for the continuing education of health professionals. They will be the bases of improved clinic and hospital management, including cost controls, simple and automated medical records collection systems, and better scheduling of health professionals as well as expensive equipment. Technology today often seems to depersonalize medicine but information age medicine can and should do exactly the opposite. Certain computer-based medical systems are now pushing the limits of traditional controls over medical practice. Professional control by doctors will not change, at least on the surface. However, subtle changes, such as those brought about by the use of expert systems, will make the clear line of authority of the doctor fuzzy and confused. The traditional methods used
COMPUTER-BASED MEDICAL SYSTEMS
179
by the FDA to regulate drugs will not work with computer-based systems. New methods will have to be developed. As is the case with many other areas of science and the professions, information age medicine offers many opportunities as well as pitfalls.
6.2
Summary
This chapter includes a discussion of many of the areas of medicine that are changing due to the impact of computers. Computer-based medical systems are revolutionizing medicine and moving it into the information age. The pace is deliberate as is appropriate for an area that deals with human health. The potential for great benefits exist and many have already been accomplished. By the same token, the changes being brought about because of computers create new problems and exacerbate existing ones. Patient privacy and confidentiality are challenged; traditional controls over medicine are challenged. Ethical and legal issues related to the use of computer software and hardware in patient care are raised. Some of these issues are described and discussed in the second and third sections of this review article. The fourth and fifth sections discuss specific computer-based medical systems. The continuing automation of medical records is bringing medicine into the information age. Systems designed to assist in clinical evaluations are described. Imaging systems are only briefly discussed even though radiology is probably the most advanced of any medical specialty in its use of computers. The limited coverage here is due in part to its adequate coverage elsewhere. Medical devices, which are incorporating more and more pieces of computer technology, both hardware and software, represent a real dilemma for medicine since their regulation challenges traditional approaches. A special section has been reserved for those computer-based medical systems that rely on artificial intelligence. Artificial intelligence technology has a special symbiotic relationship with medicine. Quite a bit of the research in artificial intelligence has used medicine as a model. This is especially true for artificial neural systems. Many of the systems originally came out of neurophysiological research and were developed in an attempt to model the function of the human brain at the neuron level. At the same time, the development and study of some artificial neural systems have provided new insights for neurophysiology. Current artificial neural systems have broad applications outside of medicine and none of them resemble too closely the actual human brain. An extensive list of references are included and it is divided into the same major categories of computer-based medical system used in the text.
180
JOHN M. LONG
References A. GENERAL Blum, R. L. (1982). Discovery, confirmation, and incorporation if causal relationships from a large time-oriented clinical data base: The RX Project. Computers and Biomedical Research 15, 164-87. Kingsland, L. C., Lindberg, D. A. B., and Shamp, G. C. (1986). Anatomy of a knowledgebased consultant system: AI/RHEUM. MD Computing 3(5), 18-27. Kriewall, T. J. and Long, J. L. (1991). Computer-based medical systems. Computer24(3), 9-12. Kunz, J. C., Fallat, R. J., McClunz, D. H., Osborn, J. J., Votteri, B. A., Nii, H. P., Aikins, J. S., Fagan, L. M., and Feigenbaum, E. A. (1978). A physiological rule-based system for interpreting pulmonary function test results. Heuristic Programming Project, Report No. HPP-78-19, Stanford University. Ledley, R. S. (1966). Use of computers in biomedical pattern recognition. Adv. Comp. 10, 217-52.
Long, J. M. (1986). On providing a lifetime automated health record for individuals. Proc. MEDINFO86 5 , Washington, DC., pp. 805-9. Long, J. M., Slagle, J. R.. Leon, A. S., Wick, M. W., Fitch, L. L., Matts, J. P., Karnegis, J. N., Bissett, J. K., Sawin, H. S., and Stevenson, J. P. (1987). An example of expert systems applied to clinical trials: Analysis of serial graded exercise ECG test data. Control Clinical Trials 8, 136-45. Long, J. M. (1987). The portable automated medical record: A new technology that raises “old” issues for medical record standardization. Topics in Health Record Management 8(2), 44-9.
McDonald, C. T. (1986). Editorial: Medical software regulations, why now? MD Computing 3(5), 7-8. Miller, A. R. (1971). “The Assault on Privacy-Computers, Data Banks, and Dossiers,” University of Michigan Press. Miller, R. A., Pope, H. E., and Myers, J. D. (1982). INTERNIST-1, An experimental computer-based diagnostic consultant for general internal medicine. New Engl. J. Med. 307(8), 468-76. Miller, R. A., Schaffer, K. F., and Meisel, A. (1985). Ethical and legal issues related to the use of computer programs in clinical medicine. Ann. Int. Med. 102(4), 529-36. Miller, R., Masarie, F. E., and Myers, J. D. (1986). Quick medical reference (QMR) for diagnostic assistance. MD Computing 3(5), 34-48. Norman, K. L. (1988). Models of the mind and machine: Information flow and control between humans and computers. Adv. Comp. 32, 210-54. Oberst, B. B. and Long, J. M. (1987). “Computers in Private Practice Management,” Springer-Verlag, New York. O’Kane, K. C. (1983). Computers in the health sciences. Adv. Comp. 27, 211-63. Shortliffe, E. H., Davis, R., Axline, S. G., Buchanan, B. G., Green, C. C., and Cohen, S. N. (1975). Computer-based consultations in clinical therapeutics: Explanation and rule acquisition capabilities of the MYCIN system. Comput. Biomed. Res. 8, 303-20. Shortliffe, E. H., Perreault, L. E., Wiederhold, G., and Fagan, L. W. (1990). “Medical informatics.” Addison-Wesley, New York. Slagle, J. R., Wick, M. W., and Paliac, M. D. (1986). AGNESS: A Generalized Network Based Expert System Shell, Proceeding of the Fifth National Conference on Artificial Intelligence, Vol. 1.
COMPUTER-BASED MEDICAL SYSTEMS
181
Solomon, M. (1985). Automated medical history-taking. Connecticut Med. 49(4), 224-6. Tuhrim, S. and Reggia, J. A. (1986). A rule-based decision aid for managing transient ischemic attacks. MD Computing 3(5), 28-33. Wakefield, J. S. (ed.) (1983). “Managing Medicine: How to Control Your Problems, Your Health, and Your Medical Expenses,” Medical Communications and Service Association, Kirkland, WA. Waterman, D. A. (1986). “A Guide to Expert Systems,” Addison-Wesley, Boston, 272-88.
Weed, L. L. (1975). “Your Health and How to Manage It,” Essex Publishing Company. Westin, A. F. (1967). “Privacy and Freedom,” Atheneum Press, New York. Westin, A. F. and Baker, M. A. (1972). “Databanks in a Free Society,” Quadrangle Books, New York. Westin, A. F. (1973). Computers and the public’s right of access to government information. Adv. Comp. 17, 283-315. Whiting-O’Keefe, Q. E., Simborg, D. W., Epstein, W. V., and Warger, A. (1985). JAMA 254, 1185-92.
Information as a “cure” for cancer (1986). Science 232, 1594-5.
B. VALIDATION, REGULATION, AND STANDARDIZATION Cagnoni, S. and Livi, R. (1989). A knowledge-based system for time-qualified diagnosis and treatment of hypertension. I n Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 121-3. Connolly, B. (1989). Software safety goal verification using fault tree techniques: A critically 111 patient monitor example. I n Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 118-20. Fries, R. C. and Riddle, R. T. (1989). A software quality assurance procedure to assure a reliable software device. I n Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2 , Computer Society Press, pp. 135-8. Fries, R. C., Stoeger, K. J., Zombatfalvy, D. A., Roberts, J. A. Leen, J. M., and Grove, T. A. (1988). A reliability assurance database for analysis of medical product performance. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 9-14. Hallenbeck, J. J. and Dugan, J. B. (1990). Design of fault-tolerant systems. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 162-9. Hamilton, D. L. (1992). Identification and evaluation of the security requirements in medical applications. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 129-137. Ihlenfeldt, L. D. (1988). Quality begins at home: the role of project leader in software quality assurance. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 147-151. Johnson, B. W. and Aylor, J. H. (1988). Reliability and safety analysis in medical applications of computer technology. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 96-100. Knight, J. C. (1990). Issues of software reliability in medical systems. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 153-60.
182
JOHN M. LONG
Kokol, P., Stiglic, B., Zumer, V., and Novak, B. (1990). Software crisis and new development paradigms or how to design reliable medical software. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 137-4. Kothapalli, B. and Durdle, N. G. (1989). Multichannel data acquisition system for gastric motility. I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 130-4. Lal-Gabe, A. (1990). Hazards analysis and its application to build confidence in software test results. In Proceedings on the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 129-36. Lief, S. B. and Lief, R. C. (1992). Producing quality software according to medical regulations for devices. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 265-72. Livi, R. and Cagnoni, S. (1989). Time-qualified evaluation of blood pressure excess. I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 124-9. McAllister, D. F. and Nagle, H. T. (1988). Toward a fault-tolerant processor for medical applications. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 96-100. Ozdamar, 0. (1992). Development and marketing of automated electrophysiological diagnostic devices: Regulatory and safety issues. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 273. Poliac, M. (1992). Implementing neural networks, software, and hardware in medical products to meet regulatory requirements. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 274. Paulish, D. J. (1990). Methods and metrics for developing high quality patient monitoring system software. I n Proceeding of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 142-52. Reupke, W. A., Srinivasan, E., Rigterink, P. V., and Card, D. N. (1988). The need for a rigorous development and testing methodology for medical software. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 15-20. Santel, D., Trautmann, C., and Liu, W. (1988). The integration of a formal safety analysis into the software engineering process: an example from the pacemaker industry. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 152-154. Schneider, R. H. (1988). FDA Regulations of computer-based medical systems. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 3-5. Spector, W. B. (1990). How the insurance industry reviews new medical devices and technology for approval and reimbursement under indemnity and HMO contracts. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, p. 161. Wittenber, J. (1989). A report on the development of a medical device data language (MDDL). I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 140-151. Woll, R., Fitch, L. L., Clarkson, P. F., and Long, J. M. (1988). Interactive systems to assure informed patient consent. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 163-6. Zanetty, J. (1992). Marketing and regulatory issues for software in Europe. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 275.
COMPUTER-BASED MEDICAL SYSTEMS
183
C. AUTOMATED MEDICALRECORDS SYSTEMS Favre, E., Bertrand, D., and Pellegrini, C. (1992). A network distributed real-time data acquistion and analysis system. In Proceedings of the Fifth IEEE Symposium on ComputerBased Medical Systems 5, Computer Society Press, pp. 147-54. Kudrimoti, A. S. and Sanders, W. H. (1992). A modular method for evaluating the performance of picture archiving and communication systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 44-53. Martinez, R., Smith, D., and Trevino, H. (1992). Imagenet: A global distributed database for color image storage and retrieval in medical imaging systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 198. Rozewski, C. M., Yahnke, D., and Hart, A. (1992). A comprehensive abstraction tool for the out-patient setting. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 64-73. Saab, E., Fumai, N., Petroni, M., Roger, K., Collter, C., Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1992). Data modeling and design of a patient data management system in an intensive care unit. In Proceedings of the Fifth IEEE Symposium on ComputerBased Medical Systems 5, Computer Society Press, pp. 54-63.
D. CLINICAL ASSESSMENT AND RISK EVALUATION
Ayala, D. E. and Hermida, R. C. (1991). Predictable blood pressure variability in clinically healthy human pregnancy. In Proceedings of the Fourth IEEE Symposium on ComputerBased Medical Systems 4, Computer Society Press, pp. 54-61. Bernard, M., Bouchoucha, M., and Cugnenc, P. H. (1990). Analysis of medical signals by an automatic method of segmentation and classification without any a-priori knowledge. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 381-388. Blanco, C., Cuervas-Mons, V., Muiioz, A., Duefias, A., Gonzalez, M. A., and Salvador, C. H. (1992). Medical workstation for the management of the transplantation unit of a hospital. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 199-206. Bottoni, P., Cigada, M., de Guili, A., di Cristofaro, B., and Mussio, P. (1990). Feature-based description and representation of structures in an ECG. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 236-43. Chitsakul, K., Bouchoucha, M., Lee, J. W., and Cugnenc, P. H. (1991). New method of analysis of epigastric impedance measurement of assessment of gastric emptying and motility. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 10-17. Clay, W., Burke, D. J., and Sherman, C. (1989). Thermo cardiosystems’ HeartmateTM ventricular assist systems. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 158-63. Collet, C., Martini, L., Lorin, M., Masson, E., Fumai, N., Petroni, M., Malowany, A. S., Carnevale, F. A., Gottesman, R. D., and Rousseau, A. (1990). Real-time trend analysis for an intensive case unit patient data management system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 337-44. Cook, T. A., Fernald, K. W., Miller, T. K., and Paulos, J. J. (1990). A custom microprocessor for implantable telemetry systems. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 412-17.
184
JOHN M. LONG
Dooley, R. L., Dingankar, A., Heimke, G., and Berg, E. (1988). Orthopedic implant design, analysis, and manufacturing system. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 60-4. Durre, K. P. (1990). BrailleButler: A new approach to non-visual computer applications. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 97-104. Ebisawa, Y., Kaneko, K., Kojima, S., Ushikubo, T., and Miyakawa, T. (1991). Non-invasive eye-gaze position detection method used on manhachine interface for the disabled. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 374-80. Fernald, K. W., Cook, T. A., Miller, T. K. 111, and Paulos, J. J. (1991). A microprocessorbased implantable telemetry system. Computer 24(3), 23-30. Franchi, S., Imperato, M., and Prampolini, F. (1992). Multimedia perspectives for next generation PAC systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 156-69. Gerth, W. A., Montgomery, L. D., and Wu,Y. C. (1990). A computer-based bioelectrical impedance spectroscopic system for noninvasive assessment of compartmental fluid redistribution. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 446-53. Haddab, S., Bouchoucha, M., Cugnenc, P.-H., and Barbier, J. Ph. (1990). New method for electrogastrographic analysis. In Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 418-25. Hammer, G. S. (1990). Technology transfer standards for communication aids for disabled people. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 123-128. Hauck, J. A. (1988). The cardiac volume computer: The development of a real time graphics system using a commercial microcomputer host. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 56-9. Hermida, R. C., Fernandez, J. R., Ayala, D. E., Rey, A., Cervilla, J. R., and Fraga, J. M. (1991). Prediction of a chronobiologic index for neonatal cardiovascular risk estimation. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 62-9. Hermida, R. C., Garcia, L., Ayala, D. E., Fernandez, J. R., Mojon, A., Lodeiro, C., and Iglesias, T. (1991). Analysis of nonequidistant hybrid time series of growth hormone by multiple linear least-squares rhythmometry. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 18-25. Lee, C.-Y., Evens, M., Carmony, L., Trace, D. A., and Naeymi-Rad, F. (1991). Recommending tests in a multimembership Bayesian diagnositic expert system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 28-35. Himley, S., Butler, K., Takatani, S., Smith, W., and Nose, Y. (1989). Application of computers in development of a total artificial heart. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 164-8. Hsieh, J. and Ucci, D. R. (1991). Design and modeling of CT systems with GSPN. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 366-73. Hurwitz, B. E., Shyu, L.-Y., Reddy, S. P., Scheiderman, N., and Nagel, J. H. (1990). Coherent ensemble averaging techniques for impedance cardiography. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 228-35.
COMPUTER-BASED MEDICAL SYSTEMS
185
Kizakevich, P. N., Teague, S. M., Jochem, W. J., Nissman, D. B., Niclou, R.. and Sharma, M. K. (1989). Detection if isochemic response during treadmill exercise by computer-aided impedance cardiology. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 10-15. Lachance, J., Sawan, M., Pourmehdi, S., Duval, F. (1990). A computerized remote control for an implanted urinary prosthesis. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 112-6. Li, C. W. and Cheng, H. D. (1990). A mathematical model for pulmonary blood circulation. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 397-404. Liu, Z.-Q., Zhang, Y.-T., Ladly, K., Frank, C. B., Rangayyan, R. M., and Bell, G. D. (1990). Reduction of interference in knee sound signals by adaptive filtering. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 389-396. Luria, S. M., Southerland, D. G., and Stetson, D. M. (1991). A clinical trial of a computer diagnosis program for chest pain. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 97-104. MacGill, I. F., Cade, J. F., Siganporia, R., and Packer, J. S. (1990). VAD: Ventilation management in the I.C.U. In Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 345-9. Manolakos, E. S., Stellakis, H. M., and Brooks, D. H. (1991). Parallel processing for biomedical signal processing: Higher order spectral analysis-An application. Computer 24(3), 33-43.
Montgomery, L. D., Montgomery, R. W., Gerth, W. A., andGuisado, R. (1990). Rheoencephalographic and electroencephalographic analysis of cognitive workload. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 220-7. Myers, G. A., Sherman, K. R., and Stark, L. (1991). Eye monitor: Microcomputer-based instrument uses an internal model to track the eye. Compufer 24(3), 14-21. Nevo, I., Guez, A., Ahmed, F., and Roth, J. V. (1991). System theoretic approach to medical diagnosis. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 94-6. Paul, A. (1988). The travail involved in getting FDA approval.. . . An overview on what it took to get FDA approval of a medical device with computer technology (a recent experience). In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 28-9. Peindl, R. D., Hermann, M. C., Russell, K. R., and McBryde, A. M. (1990). Development of a microcomputer system for assessment of chronic compartment syndrome. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 438-45. Petroni, M., Collet, C., Fumai, N., Roger, K., Groleau, F., Yien, C. Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1991). An automatic speech recognition system for bedside data entry in an intensive care unit. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 358-65. Pourmehdi, S., Mouine, J., Sawan, M., and Duval, F. (1990). Microcomputer-based tactile hearing prosthesis. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 117-22. Prasad, B., Wood, H., Greer, J., and McCalla, G. (1989). A knowledge-based system for tutoring bronchial asthma diagnosis. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 40-5.
186
JOHN M. LONG
Purut, C. M., Craig, D. M., McGoldrick, J. P., and Smith, P. K. (1990). Determination of vascular input impedance in near real-time using a portable microcomputer. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 252-8. Quint, S. R., Messenheimer, J. A., Tennison, M. B., and Nagle, H. T. (1989). Assessing autonomic activity from the EKG related to seizure onset detection and localization. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 2-9. Rey, H. R., Han, S. A., Higgins, A., Rosasco, K., Peisner, D., and James, L. S . (1989). Computer prediction of neonatal outcome and comparison with assessments by physicians and midwives. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 16-24. Roger, K., Collet, C., Fumai, N., Petroni, M., Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1992). Nursing workload management for a patient data management system. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 216-23. Satti, J. A., Westervelt, F. H.,and Ragan, D. P. (1991). A proposed parallel architecture for 3D dose computation in radiation therapy treatment plan. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 258-62. Sawan, M., Duval, F., Pourmedhdi, S., and Mouine, J. (1990). A new multichannel bladder stimulator. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 190-6. Shaw, R., Crisman, E., Loomis, A., and Laszewski, Z. (1990). The eye wink control interface: Using the computer to provide the severely disabled with increased flexibility and comfort. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 105-1 1. Smith, K., Bearnson, G., Kim, H.,Layton, R., Jarmin, R., and Smith, J. (1990). Electronics for the electrohydraulic total artificial heart. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 517-24. Somerville, A. J. (1988). Failsafe design of closed loop systems. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 23-7. Srini, K., Babadi, A., Kumar, V., Kamana, S., Dai, Z., Lin, Q., and Gollapudy, C. (1992). Multimedia and its application in medicine. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, p. 155. Synder, A. J., Weiss, W. J., Pierce, W. S., and Nazarian, R. A. (1989). Microcomputer control of permanently implanted blood pumps. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 154-7. Ta, N. P., Attikiouzel, Y., and Crebbin, G. (1990). Electrocardiogram compression using lapped orthogonal transform. I n Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 244-51. Taube, J. C., Pillutla, R., and Mills, J. (1988). Criteria for an adaptive fractional inspired oxygen controller. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 129.32. Wang, T. P. and Vagnucci, A. H.(1990). Peak detection and hormone production within a cortisol circadian cycle. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 405-11. Zanetti, J. M. and Salerno, D. M. (1991). Seismocardiography: A technique for recording precordial acceleration. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 4-9.
COMPUTER-BASED MEDICAL SYSTEMS
187
E. ARTIFICIAL INTELLIGENCEAND NEURAL NETWORKS Anabar, M. and Anabar, A. (1988). The “understanding” of natural language in CAI and analogous mental processes. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 112-7. Bankman, 1. N., Sigillito, V. G., Wise, R. A,, and Smith, P. L. (1991). Detection on the EEG K-complex wave with neural networks. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 280-7. Benachenhou, D., Cader, M., Szu, H., Medsker, L. Wittwert, C., and Garling, D. (1990). AIDS viral DNA amplification by polymerase chain reaction employing primers selected by A1 expert system and an ART neural network. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 504-1 1. Benaroch, L. M. and Chausmer, A. B. (1989). A new approach to computer directed insulin management systems: Diacomp. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 80-96. Bergeron, B. P. (1989). Challenges associated with providing simulation-based medical education. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 114-6. Bobis, K. G., Evens, M., and Hier, D. (1989). Automating the knowledge acquisition process in medical expert systems. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 81-8. Bronzino, J . D., Morelli, R. A., and Goethe, J. W. (1991). Design of an expert system for monitoring drug treatment in a psychiatric hospital. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 219-25. Chan, K. C. C., Ching, J. Y., and Wong, A. K. C. (1992). A probabilistic inductive learning approach to the acquisition of knowledge in medical expert systems. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 572-81. Chang, R.-C., Evens, M., Rovick, A. A., and Michael, J. A. (1992). Surface generation in a tutorial dialogue based on analysis of human tutoring sessions. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 554-61. Chu, W. W., leong, I. T., Taira, R. K., and Breant, C. M. (1992). A temporal evolutionary object-oriented data model for medical image management. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 84-91. Cios, K. J., Shin, I., and Goodenday, L. S. (1991). Using fuzzy sets to diagnose coronary artery stenosis. Computer 24(3), 57-63. Conigliaro, N., Di Stefano, A., and Mirabella, 0. (1988). An expert system for medical diagnosis. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 75-81. Duerer, H., Wang, K., Wischnewsky, M. B., Zhao, J., and Hommel, J. (1992). Intensive help-A knowledge-based systems for intensive care units. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 335-44. Dutta, S. (1988). Temporal reasoning in medical expert systems. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 118-22. Eberhart, R. C., Dobbins, R. W., and Webber, W. R. S. (1989). Casenet: A neural network tool for EEG waveform classification. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 60-8.
188
JOHN M. LONG
Eberhart, R. C., Dobbins, R. W., and Hulton, L. V. (1991). Neural network paradigm comparisons for appendicitis diagnoses. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 298-304. Eberhart, R. C. and Dobbins, R. W. (1990). Neural network performance metrics for biomedical applications. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 282-9. Egbert, D. D., Kaburlasos, V. G., and Goodman, P. H. (1989). Invariant feature extraction for neurocomputer analysis of biomedical images. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 69-73. Fu, L.-M. (1990). Refinement of medical knowledge bases: A neural network approach. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 290-307. Gage, H. D. and Miller, T. K. (1990). Mapping networks for analysis of the forced expired volume signal. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 366-73. Hadzikadic, M. (1992). Medical diagnostic expert systems: Performance vs. representation. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 562-71. Hoogendoorn, E. L., Langton, K. B., Solntseff, N., and Haynes, R. B. (1991). A PC-based interface for an expert system to assist with preoperative assessments. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 251-7. Hughes, C. (1988). Exploratory and directed analysis of medical information via dynamic classification trees. In Proceedings of the Symposium on the Engineering of ComputerBased Medical Systems 1, Computer Society Press, pp. 107-11. Hwang, G. J. and Tseng, S. S. (1990). Building a multi-purpose medical diagnosis system under uncertain and incomplete environment. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 321-8. Irani, E. A., Long, J. M., and Slagle, J. R. (1988). Experimenting with artificial neural networks-artificial intelligence mini-tutorial, part 111. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 45-6. Irani, E. A., Matts, J. P., Hunter, D. W., Slagle, J. R., Kain, R. Y.,and Long, J. M. (1990). Automated assistance for maintenance of medical expert systems: The POSCH A1 Project. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 275-81. Kim, J. J. and Bekey, G. A. (1992). Adaptive abstraction in expert systems for medical diagnosis. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 345-52. Koch, P. and Leisman, G. (1990). A continuum model of activity waves in layered neuronal networks: Computer models of brain-stem sizures. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 525-31. Kowarski, D. (1990). A low-cost personal computer-based radiology diagnostic expert system and image and text database. In Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 298-305. Krieger, D., Burk, G., and Sclabassi, R. J. (1991). Neuronet: A distributed real-time system for monitoring neurophysiologic function in the medical environment. Computer 24(3), 45-55.
Kuhn. K.. Roesner, D., Zemmler, T., Swobodnik, W., Janowitz, P., Wechsler, J. G., Heinlein, C., Reichert, M.,Doster, W., and Ditschuneit, H. (1991). A neural network
COMPUTER-BASED MEDICAL SYSTEMS
189
expert system to support decisions in diagnostic imaging. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 244-50. Leung, L. A., Slagle, J. R., Finkelstein, S. M., and Warwick, W. J. (1988). Temporal reasoning in medicine with an example in cystic fibrosis patient management-artificial intelligence mini-tutorial, part 111. In Proceedings of the Symposium on the ComputerBased Medical Systems 1, Computer Society Press, pp. 43-4. Lin, W. and Tang, J.-X. (1991). DiagFH: An expert system for diagnosis of fulminant hepatitis. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 330-7. L.ong, J. M., Slagle, J. R., Wick, M. R., Irani, E. A., Weisman, P. R., Matts, J. P., Clarkson, P. F., and POSCH Group (1988). Lessons learned while implementing expert systems in the real world of clinical trials data analyses: The POSCH A1 Project. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 167-73. Lusth, J. C., Bhatt, A. K., and Meehan, G. V. (1989). An embedded knowledge-based system for interpreting microbiology data. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 76-80. Mattson, E. J., Thomas, M. M., Trenz, S. A., and Cousins, S. B. (1990). The WIC advisor: A case study in medical expert system development. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 329-36. Mayer, G., Yamamoto, C., Evens, M., and Michael, J. A. (1989). Constructing a knowledge base from a natural language text. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 98-107. McMillan, M. M. and Walter, D. C. (1989). Automated medical student-A computational model of skill acquistion and expert performance. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 108-1 1. Ozdamar, O., Yaylali. I., Jayakar, P., and Lopez, C. N. (1991). Multilevel neural network system for EEG spike detection. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 272-9. Pan, B. and Abdelhamied, K. (1992). Application of artificial neural networks for automatic measurement of micro-bubbles in microscopic images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 105-14. Petrucci, K. E., Petrucci, P., Dobbs, G., Baranoski, B., and McQueen, L. (1991). The clinical evaluation of UNIS: An expert system for the long-term care of patients with urinary incontinence. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 236-43. Poli, R., Cagnoni, S., Livi, R., Coppini, G., and Valli, G. (1991). A neural network expert system for diagnosing and treating hypertension. Computer 24(3), 64-71. Poliac, M. 0..Zanetti, J. M., Salerno, D., and Wilcox, G. L. (1991). Seismocardiogram (SCG) interpretation using neural networks. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 288-95. Sagerer, G. and Niemann, H. (1988). An expert system architecture and its application to the evaluation of scintigraphic image sequences. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 82-8. Schellenberg, J. D., Naylor, W. C., and Clarke, L. P. (1990). Application of artificial neural networks for tissue classification from multispectral magnetic resonance images of the head. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 350-7.
190
JOHN M. LONG
Schizas, C. M., Pattichis, C. S., Livesay, R. R., Schofield, I. S., Lazarou, K. X., and Middleton, L. T. (1991). Unsupervised learning in computer aided macro electromyography. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 305-12. Shapiro, L. and Stetson, D. M. (1990). A general purpose shell for research assessment of bayesian knowledge bases supporting medical diagnostic software systems. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 261-14. Stetson, D. M., Eberhart, R. C., Dobbins, R. W., Pugh, W. M., and Gino, A. (1990). Structured specification of a computer assisted medical diagnostic system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 374-380. Strand, E. M. and Johns, W. T. (1990). A neural network for tracking the prevailing heart rate of the electrocardiogram. I n Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 358-65. Tonkonogy, J. M. and Armstrong, J. (1988). Diagnostic algorithms and clinical diagnostic thinking. In Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 71-4. Wang, C. H.and Tseng, S. S. (1990). A brain tumor diagnostic system with automatic learning abilities. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 313-20. Wilson, K., Webber, W. R. S., Lesser, R. P., Fischer, R. S., Eberhart, R. C., and Dobbins, R. W. (1991). Detection of epileptiform spikes in the EEG using a patient-independent neural network. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 264-71. Woo, C. W., Evens, M., Michael, J., and Rovick, A. (1991). Dynamic instructional planning for an intelligent physiology tutoring system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 226-33. Wreder, K., Park, D. C., Adouadi, M. and Gonzalez-Arias, S. M. (1992). Stereotactic surgical planning using three-dimensional reconstruction and artificial neural networks. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 612-5. Yoon, Y. O., Brobst, R. W., Bergstresser, P. R., and Peterson, L. L. (1990). Automated generation of a knowledge-base for a dermatology expert system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 306-12. Zhang, Y.,Evens, M., Michael, J. A., and Rovick, A. A. (1990). Extending a knowledge base to support explanations. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 259-66.
F. IMAGING SYSTEMS de Graaf, C. N., Koster, A. S. E., Vincken, K. L., and Viergever, M. A. (1992). A methogology for the validation of image segmentation method. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 17-24. Geckle, W. J. and Szabo, Z. (1992). Physiological Factor Analysis (PFA) and parametric imagining of dynamic PET images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 9- 16.
COMPUTER-BASED MEDICAL SYSTEMS
191
Hemler, R. F., Koumrian, T., Adler, J., and Guthrie, B. (1992). A three dimensional guidance system for frameless stereotactic neurosurgery. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 309-14. Pearlman, W. A. and Abdel-Malek, A. (1992). Medical image sequence interpolation via hierarchical pel-recursive motion estimation. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 232-41. Ramirez, M., Mitra, S., Kher, A., and Morales, J. (1992). 3-D digital surface recovery of the optic nerve head from stereo fungus images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 284-91. Shah, U. B. and Nayar, S. K. (1992). Extracting 3-D structure and focused images using an optical microscope. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 292-301. Stockett, M. H. and Soroka, B. J. (1992). Extracting spinal cord contours from transaxial MR images using computer vision techniques. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 1-8. Tavakoli, N. (1992). Analyzing information content of MR images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 224-3 I . Zhao, W., Chang, J. Y.,Smith, D. M., and Ginsberg, M. D. (1992). Disparity analysis and its application to three-dimensional reconstruction of medical images. In Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 302-8. 0 . MEDICAL DEVICES Abousleman, G. P., Jordan, R., Asgharzadeh, A., Canady, L. D., Koechner, D., and Griffey, R. H. (1990). A novel eigenvector-based technique for spectral estimation of time-domain data in medical imaging. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 426-31. Anbar, M. and D’Arcy, S. (1991). Localized regulatory frequencies of human skin temperature derived from analysis of series of infrared images. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 184-91. Asgharzadeh, A., Jordan, R., Aboulesman, G., Canady, L. D., Koechner, D., and Griffey, R. H. (1990). Applications of adaptive analysis in magnetic resonance imaging. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 75-80. Buchanan, J. and Thompson, B. G. (1990). Opportunities for the use of broad-band packetswitched data networks for direct patient care. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 9-13. Canady, L. D., Jordan, R., Asgharzadeh, A., Abousleman, G., Koechner, D., and Griffey, R. H. (1990). Time-domain analysis of magnetic resonance spectra and chemical shift images. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 432-7. Cheng, H. D., Li, X. Q., Riordan, D., Scrimger, J. N., Foyle, A., and MacAulay, M. A. (1991). A parallel approach to tubule grading in breast cancer lesions and its VLSI implementation. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 322-9. Cook, G. B. (1989). M.L.I. databases with the words of clinical medicine. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 26-8.
192
JOHN M. LONG
Culver, T. L.and Cheng, S. N.-C. (1990). Computer simulation of a brain slice using fractals. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 512-6. Davis, D. T., Hwang, J.-N., and Lee, J. S.-J. (1991). Improved network inversion technique for query learning: Application to automated cytology screening. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 313-20. Dayhoff, R. E., Kuzmak, P. M., Maloney, D. L., and Shepard, B. M. (1991). Experience with an architecture for integrating images into a hospital information system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 121-8. Ellingtion, W. W. (1990). A medical care application using the integrated services digital network. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 24-32. Frieder, 0. and Stytz, M. R. (1990). Dynamic detection of hidden-surfaces using a MIMD multiprocessor. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 44-51. Fumai. N.. Collet, C., Petroni, M., Roger, K., Lam, A., Saab, E., Malowany, A. S., Carnevale, F. A., and Gottesman, R. D. (1991). Database design of an intensive care unit patient data management system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 78-85. Fumai, N., Collet, C., Petroni, M., Malowany, A. S., Carnevale, F. A., Gottesman, R. D., and Rousseau, A. (1990). The design of a simulator for an intensive care unit patient data management system. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 454-61. Greenshields, I. R., DiMario, F., Ramsby, G., and Perkins, J. (1991). Determination of ventricular structure from multisignature MR images of the brain. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 135-44. Guan, S.-Y. and McCormick, B. H. (1991). Design of a 3D deformable brain atlas. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 113-30. Harris, M., Workman, K. B., Arrildt, W. D., and Leo, F. P. (1991). Benefits of using microcomputers to monitor imaging equipment service in a radiology department. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 178-82. Hiriyannaiah, H. P., Synder, W. E., and Bilbro, G. L. (1990). Noise in reconstructed images in tomography parallel, fan and cone beam projections. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 81-8. Jasiobedzki, P., McLeod, D., and Taylor, C. J. (1991). Detection on non-perfused zones in retinal images. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 162-9. Koechner, D., Rasure, J., Griffey, R. H., and Sauer, T. (1990). Clustering and classification of multispectral magnetic resonance images. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 32-7. Kuhn, K., Doster, W., Roesner, D., Kottmann, P., Swobodnik, W., and Ditschuneit, H. (1990). An integrated medical workstation with a multimodal user interface, knowledgebased user support, and multimedia documents. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 469-78.
COMPUTER-BASED MEDICAL SYSTEMS
193
Kurak, C. W., Jr. (1991). Adaptive histogram equilization: A parallel implementation. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 192-9. Laxer, C., Ideker, R. E., Smith, W. M., Wolf, P. D., and Simpson, E. V. (1990). A graphical display system for animating mapped cardiac potentials. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 197-204. Levine, S. D. (1989). Development of a PC-based clinical information system suitable for small-group medical practice. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 52-5. Liu, Z.-Q., Rangayyan, R. M., and Frank, C. B. (1990). Analysis directional features in images using gabor filters. I n Proceedings of the Third IEEE Symposium on ComputerBased Medical Systems 3, Computer Society Press, pp. 68-74. Losee, R. M. and Moon, S. B. (1990). Analytic prediction of medical document retrieval system performance. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 477-83. Ma, H.-N. N., Evens, M., Trace, D. A., and Naeymi-Rad, F. (1990). An intelligent progress note system for medas (A bayesian medical expert system). I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 484-91. MacAulay, M. A.. Scrimger, J. N., Riordan, D., Foyle, A., and Cheng, H. D. (1991). An interactive graphics package with standard examples of the Bloom and Richardson histological grading technique. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 108-12. Michael, P. A., Kanich, R. E., Hall, C. P., and Ruche, S. H. (1990). Computerized clinical histories: The development of an HIS subsystem in a community hospital. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 462-8. Mussio, P., Pietrogrande, M., Bottoni, P., Dell’Oca, M., Arosio, E., Sartirana, E., Finanzon, M. R., and Dioguardi, N. (1991). Automatic cell count in digital images of liver tissue sections. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 153-60. Nemat, M., Martinez, R., Osada, M., Tawara, K., and Komatsu, K. (1990). A high speed integrated computer network for picture archiving and communication system (PACS). I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 14-23. Nevo, I., Roth, J. V., Ahmed, F., and Guez, A. (1991). A new patient’s status to facilitate decision making in anesthesia. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 88-93. Nilsson, A. A. and Khanmoradi, H. (1990). A queuing model of picture archiving and communication systems (PACS) with a hierarchy of storage. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 1-8. Olagunju, D. A. and Goldenberg, 1. F. (1989). Clinical databases: Who needs one (criteria analysis). I n Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 36-9. Perkowski, M., Wang, S., Spiller, W. K., Legate, A., and Pierzchata, E. (1990). Ovulocomputer: Application of image processing and recognition to mucus ferning patterns. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 52-9.
194
JOHN M. LONG
Rao, N. (1990). Frequency modulated pulse for ultrasonic imaging in an attenuating medium. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 89-96. Reilly, R. E., Amirinia, M. R., and Soames, R. W. (1991). A two-dimensional imaging walkway for gait analysis. I n Proceedings of the Fourth IEEE Symposium on ComputerBased Medical Systems 4, Computer Society Press, pp. 145-52. Robert, S., Prakash, S., Naeymi-Rad, F., Trace, D., Carmony, L., and Evens, M. (1991). MEDRIS: The hypermedia approach to medical record input-software engineering techniques for developing a hypermedia system. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 44-51. Rogers, E., Arkin, R. C., and Baron, M. (1991). Visual interaction in diagnostic radiology. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 170-7. Roggio, R. F. (1991). Performance resource profiling using a computer-based number discrimination test system. In Proceedings of the Fourth IEEE Symposium on ComputerBased Medical Systems 4, Computer Society Press, pp. 36-43. Roy, S.C., Krakow, W. T., Sacks, B., Batchelor, W. E., Bohs, L. N., and Barr, R. C. (1990). The design and verification of a VLSl chip for electrocardiogram data compression. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 170-7. Samuels, W.B., Evens, M., Naeymi-Rad, F., Rosenthal, R., Naeymirad, S., Lee,C.,Trace, D., and Carmony, L. (1989). Extending the feature dictionary to support sophisticated feature interaction and classification. In Proceedings of the Second IEEE Symposium on ComputerBased Medical Systems 2, Computer Society Press, pp. 29-35. Sanders, J. A. and Orrison, W. W. (1992). Design and implementation of a clinical MSI workstation. I n Proceedings of the Fifth IEEE Symposium on Computer-Based Medical Systems 5, Computer Society Press, pp. 138-46. Santago, P., Link, K. M., Snyder, W. E., Rajala, S. A., and Worley, J. S . (1990). Restoration of cardiac magnetic resonance images. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 60-7. Schwartz, M. D., Irani, P., Smith, 1. P., Ledford, C., and Funnel, W. R. J. (1988). Labor and delivery information system. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 139-43. Smith, M. F., Jaszczar, R. J., Floyd, C. E., Jr., Greer, K. L., and Coleman, R. E. (1990). Interactive visualization of three-dimensional aspect cardiac images. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 213-9. Srinivasa, N., Ramakrishnan, K. R., and Rajgopal. K. (1988). Adaptive noise canceling in computed tomography. I n Proceedings of the Symposium on the Engineering of ComputerBased Medical Systems 1, Computer Society Press, pp. 65-8. Strickland, T. J., Jr. (1991). Development of an information system to assist management of critically ill patients. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 70-7. Stytz, M. R., Frieder, G., and Frieder, 0. (1988). On the exploitation of a commercially available parallel processing architecture for medical imaging. I n Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems 1, Computer Society Press, pp. 49-55. Syh, H. W.,Chu, W. K.. and McConnell, J. R. (1991). A microcomputer based system for MR imaging analysis of brain for hepatic encephalopathy. I n Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 130-4.
COMPUTER-BASED MEDICAL SYSTEMS
195
Tavakoli, N. (1991). Lossless compression of medical images. In Proceedings of the Fourth IEEE Symposium on Computer-Based Medical Systems 4, Computer Society Press, pp. 200-7. Tompkins, W. J . and Luo, S. (1990). Twelve-lead simulation for testing interpretive ECG machines. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 178-81. Wada, T. (1990). Akaike’s model versus conventional spectral analysis as tools for analyzing multivariate clinical time series. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 532-9. Wang, G.-N., Evens, M., and Hier, D. B. (1990). On the evaluation on LITREF: a PC-based information retrieval system to support stroke diagnosis. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 548-55. Wang, G.-N., Evens, M., and Hier, D. B. (1989). LITREF-A microcomputer based information retrieval systems supporting stroke diagnosis, design, and development. In Proceedings of the Second IEEE Symposium on Computer-Based Medical Systems 2, Computer Society Press, pp. 46-5 I . Wu, 2 . and Guo, Y. (1990). A microcomputer based image analysis system for the left ventricle and the coronary artery. In Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 205-12. Zhao, D. and Trahey, G. E. (1990). Two algorithms for correcting phase aberration in a computer-controlled ultrasound imaging system. I n Proceedings of the Third IEEE Symposium on Computer-Based Medical Systems 3, Computer Society Press, pp. 38-43.
This Page Intentionally Left Blank
Algorithm-Specif ic Parallel Processing with Linear Processing Arrays JOSE A. B. FORTES School of Electrical Engineering Purdue University West Lafa yette, Indiana
BENJAMIN W. WAH Coordinated Science Laboratory University of Illinois Urbana, Illinois
WElJlA SHANG Center for Advanced Computer Studies University of Southwestern Louisiana Lafa yette, Louisiana
KUMAR N. GANAPATHY Coordinated Science Laboratory University of Illinois Urbana, Illinois
1.
2. 3. 4. 5.
6. 7.
lntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . 1 General Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Algorithm Model . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Relation to Nested-Loop Programs . . . . . . . . . . . . . . . . . . The Mapping Problem . . . . . . . . . . . . . . . . . . . . . . . . . . Computation-Conflict-Free Mappings . . . . . . . . . . . . . . . . . . . Time-Optimal Mappings without Computational Conflicts . . . . . . . . . . . Parameter-Based Methods . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Design Method . . . . . . . . . . . . . . . . . . . . . . . . . . . Applications of the General Parameter Method . . . . . . . . . . . . . . . Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ADVANCES IN COMPUTERS, VOL. 38
197
198 199 199 202 204 207 21 1 217 219 222 226 230 241 243
Copyrighl 0 1994 by Academic Press, Inc. All rights of reproduction in any form reserved. ISBN 0-12-0121 38-7
198
JOSE A. B. FORTES et
01.
1. Introduction Many applications of digital signal processing, scientific computing, digital communications, and control are characterized by repeated execution of a small number of computationally intensive operations. In order to meet performance requirements it is often necessary to dedicate hardware with parallel processing capabilities to these specialized operations. Processor arrays, due to their structural regularity and consequent suitability for VLSI implementation, are frequently used for this purpose. Regardless of whether their structures are fixed or designed to match algorithm characteristics, it is important to understand how to map these algorithms into processor arrays. This article discusses systematic ways of deriving such mappings. The techniques are illustrated by examples involving linear arrays of processors (one-dimensional processor arrays); however, unless otherwise stated, the results can be extended to arrays of arbitrary dimension. Several linear arrays have been implemented for specific applications as well as for “wide-purposey’ computing (Valero et al., 1991; Fortes et al., 1992). They are easier to build and program than arrays of higher dimensions. In particular, the connections among neighboring processors can be made very fast and, therefore, provide large communication bandwidths. For example, physical links in Warp (Annaratone et al., 1987; Menzilcioglu et al., 1989; Baxter et al., 1990) can serve several virtual channels capable of communication among neighboring cells. This is also the case for algorithm-specific linear arrays but, for design simplicity, each link may be used to transfer only a data item instead of being multiplexed among several of them. In this paper, we present two methods of systematically mapping recurrent computations on such linearly connected processor arrays. The first method guarantees that no more than one computation is assigned to execute in any processor at any given time but assumes enough data channels between processors for the necessary data communication. The second method considers, in addition to computational conflicts, the possibility of communication conflicts and guarantees that individual links are not required to pass more than one data item at a time. The techniques discussed here apply to algorithms described as recurrences, either by mathematical expressions or by high-level language programs. Section 1.2 provides a precise characterization of the class of algorithms for which our results are strictly valid. However, more general classes of algorithms and programs can also be mapped using similar techniques either in a piecewise manner or as heuristics to guide the search for good designs.
ALGORITHM-SPECIFIC PARALLEL PROCESSING
199
Once algorithms are characterized as sets of computations ordered by data dependences, the problem of mapping algorithms to processor arrays becomes equivalent to that of finding a function that assigns a processor and an instant of time to each computation of that algorithm. This function must have certain properties that guarantee computational correctness and efficient usage of processing resources. The techniques described in this paper include techniques and methods of mapping parameterized representations of the algorithms to linearly connected architectures of interest. Sections 2, 3, and 4 discuss the dependence-based method (DM) and techniques of selecting linear mappings. Sections 5 and 6 present an alternative approach, called the generalized parameter-based method (GPM), and show how it relates to the dependence-based method. Optimization procedures used with both approaches are described along with examples. Sections 2-4 are partially based on the work of Shang and Fortes (1992), and Sections 5 and 6, on that of Ganapathy and Wah (1992a,b).
1.1 General Notation Arrows are used to denote vectors, while the transpose of a vector v'or of a matrix M are denoted <=and M T , respectively. The notation v' 1 u'means every component of v' is_greater than or equal to the corresponding component of 2. The vector 0 denotes afow or column vector whose entries are all zeros. The dimensions of vector 0 and whether it denotes row or column vectors are implied by the context in which the vector is used. The rank and determinant of a matrix A are denoted rank(A) and det(A), respectively. the cardinality of The set of integers is denoted by Z, the empty set by 0, a set C by I C I, and the absolute values of a scalar a! by la!/.
1.2 Algorithm Model Uniform dependence algorithms (or uniform recurrence equationsUREs) are formally defined as follows. Definition 1.1 (Uniform Dependence Algorithm). A uniform dependence algorithm is an algorithm that can be described by an equation of the form + + v(Z) = g,-(v(Z- d l ) ,v(?&), ..., v(?- &)), (1.1) where --t
+
1.
Z = [il , ..., in]'
E J C Z" is an index point (a column vector); J is the index set of the algorithm; and n is the number of components of f;
200
JOSE A. B. FORTES e t a / .
z
2. g i is a computation index_ed by i.e., a single-valued function computed “at index point I ” in a single unit of time; 3. v(?) is the value computed “at 3” i.e., the result of computing the right-hand side of (1.1); output variables correspond to values at particular index points ?; if ?is not in J, then v ( f ) is an input variable; -+ 4. Jj ,j = 1, . ,r are constant vectoyi (Le., independent of I E J) called dependences; the matrix D = [ d , , ..., dr] is called a dependence matrix.
..
A well-known simple example of an URE is
c(il , i,, is) = c(il ,i,, i,
- 1)
+ ai,,i3bi,,
1
i2
Iil , iz , i,
s N,
(1.2)
which describes the computation of an (N x N) matrix C as the product of two (Nx N) matrices A and B. This algorithm will be used as a running example throughout the description of the dependence-based method. The index set consists of all the integer points within a cube with sides of length N. At each point I’ = [il,i, ,i3]’ a distinct one-variable function specified by the operator “+ai,,i , bi3,i 2 ’ y is computed (other representations where ui,,i3and bi,,i2are treated as variables and the operator is simply “+” are discussed below). There is a single dependence [0, 0, l]‘, and the product matrix corresponds to the values of c(i, , i, ,N ) . Uniform dependence algorithms can be found in many scientific computations, digital signal processing applications, and other fields. However, a much larger class of algorithms, called affine dependence algorithms (or affine recurrence equations-ARES), can also benefit from the techniques proposed for UREs. For AREs, (1.1) is replaced by:
v(h(T))= g i ( v ( A ( f ) ) ,Uz(?)),
-
m.9
v(Sr(?))),
(1.3) -+
where the indices h and 4 , j = 1 , ...,r, are affine functions of I, i.e., functions of the form F?+ c‘, where F is a matrix with n columns and c‘ is a constant vector with as many elements as the number of rows in F. There exist techniques to transform AREs to UREs (that is, to uniformize AREs) but they are outside the scope of this article. The basic idea there is to select a few integral basis vectors such that all affine dependence vectors of the ARE can be expressed as nonnegative integer linear combinations of the basis vectors. These vectors correspond to uniform dependences following the uniformization. For example, in the URE shown in (1.2) for matrix multiplication, u ~ , ,and ~ , bi3,i2 are inputs that are used in several computations (e.g., u 1 , ]is used in computations to generate c(1, i,, 1) for all values of i,). This can be shown explicitly as follows:
ALGORITHM-SPECIFIC PARALLEL PROCESSING
20 1
a(i, ,i,, i3) = a(i, ,0, i,)
1 Ii l , i 2 , i 3I N
b(il ,i, ,i3) = b(0, i, ,i,)
1 Ii , , i,, i,
c(i, ,i,, i,) = c ( i , , i,, i3 - 1) + a ( i , , i 2 , i3)b(i1, i 2 ,i,)
1 Ii , , i,, i3 I N
IN
(1.4) where a(i, ,0, i,) = ail,i, and b(0, i, ,i,) = bi3,i z . The dependences for the first two statements are affine, i.e., they are [0, i , , 0IT and [ i , ,0, 0IT, respectively. Reusing or “pipelining” of these data among different computations can be done as follows (yielding a decomposition of the affine dependences in terms of the basis vectors [0, 1, 0IT and [ l , 0, 0IT that are also uniform dependences resulting from the uniformization). a(i, ,i 2 ,i3) = a(i, , i2 - 1, i,)
1 Ii , , i,, i, I N
b ( i l , i,, i3) = b(il - 1, i,, i,)
1 Ii , , i 2 , i,
IN
c ( i l ,i 2 , i,) = c(i,, i,, i, - 1) + a ( i , , i 2 ,i 3 ) b ( i l ,i,, i,)
1 Ii , , i,, i,
IN
(1 - 5 )
This simple example illustrates also another advantage of uniformization in which we can eliminate broadcasts of data to many processing elements. In the above uniformizing algorithm, distinct variables (which may have identical values) are used to compute distinct c(i, , i, ,i,). Procedures for uniformization and broadcast removal share many similarities and are discussed in Chen and Shang (1992), Quinton and Van Dongen (1989), Tzen and Ni (1992), Wong and Delosme (1992), and Yaacoby and Cappello (1988). The matrix multiplication example also illustrates the fact that in a single algorithm there may be more than one recurrence equation of the form of (1.1). For the purpose of this article, we view any system of recurrence equations as a single recurrence that computes a tuple whose elements are variables on the left-hand sides of the individual recurrences of the system. For example, the transformed UREs in (1.5) can be described by a single recurrence: [a, b, c W , , i z , i3)
- 1, i,), [a, b, cl(il - 1, i 2 , 41, [a, b, N i l , i 2 , i3 - 1)) 1, i,), b(i, - 1, i 2 , i,), c ( i , , i 2 ,i3 - 1)
= g([a, b, cl(i,, i2 = [ a ( i l ,i2 -
+ a(il ,4 , i3)b(h,i 2 ,i3)l.
(1.6)
Note that we have used an ordered set notation to represent all the variables used in a system of recurrences (instead of representing each variable separately).
202
JOSE A. 6.FORTES e t a / .
1.3 Relation to Nested-Loop Programs Affine dependence algorithms are common in image processing, digital signal processing, and other scientific applications where regular computation-intensive operations are required (Fortes and Wah, 1987; Tucker and Robertson, 1988; Almasi and Gottlieb, 1989). In practice many of the algorithms that are executed by processor arrays are described in a procedural high-level language such as Fortran. Nested loops are often the most time-consuming kernels of these programs and are, therefore, targets of hardware accelerators based on processor arrays. It turns out that a large number of Fortran-like nested loops can be modeled as affine recurrences. For instance, it is relatively easy to relate the following generic nested loop to a corresponding system of affine recurrences. DO il
=
Il TO N 1
DO iz = 1, TO Nz
...
DO in
=
1, TO N,
SZCl'>
(1.7)
...
Sp
... END
END where Sj(r', contains an assignment of the form of (1.3), i.e.,
vjChj(l'>>= gj(v1(4,1(7))*- - -~,p ( f j , p ( ? ) ) ) * (1.8) It is possible that variable v j , 1 5 j 5 p, appears more than once with different indexing functions such as v l ( i , j ) = v l ( i + j , i - j ) + v,(2i + j , 3i). Each appearance of a variable on the right-hand side may cause a dependence (Banerjee, 1988; Xing and Shang, 1993). If all the loop bounds r j and N j , j = 1, ...,n, are linear functicys of the index variables il , ..., 4- the set of all the iteration vectors Z of the loop can be described by a convex polyhedron. Affine recurrences can be used-to model the program in (1.7) when (1) the indexing functions hj(Z) and fj,,(?), j, 1 = 1, ...,p, are affine; (2) the bounds and N j , j = 1, ..., n, are affine functions of the index variables il , ...,ij- ; and (3) branch statements are allowed as long as all branches cause the same dependences, the
ALGORITHM-SPECIFIC PARALLEL PROCESSING
203
computation times for different branches are the same, and branches do not go outside the loop. For example, it is easy to see that the following nested-loop program corresponds to the pipelined version of the matrix multiplication algorithm described in (1.5). DOi,
=
1TON
DOi, = 1 T O N DOi,
=
1TON
a(i, , i,, i3) = a(i, , i2 - 1 , i,) b ( i l ,i,, i,) = b(il - 1, i,, i,) c(i,, i,, i 3 ) = c(i,,i,, i, - 1)
(1 -9)
+ a(i,, i,,
i3)b(il,i,, i3)
END END END
Intuitively, datum a;,,;, is pipelined along the i, axis from index point [ i , , 1, i,]* to [ i , , 2, i,IT, ..., and to [il ,N, i3IT. Similarly, bi3,i2 is pipelined along the il axis. Initially, a(i, ,0, i3) = ui,,ij and b(0, i,, i3) = b j 3 , i 2 . In short, we focus in this article on algorithms that can be modeled as uniform recurrences and affine recurrences that can be uniformized. For the purpose of this paper, only structural information of the algorithm, i.e., the index set J and dependence matrix D, is needed. However, when addressing the problem of avoiding data-link conflicts, we use information about input/output data distributions derived from the desired mapping. Note that all computations are identical in the processor array when uniform recurrences are mapped. When inputs/outputs occur at the peripheral boundary of the processor array we need only consider a very limited number of possible data distributions of inputs/outputs. A uniform dependence algorithm with dependence matrix D and index J is, therefore, described by a pair (J,D). For the matrix-multiplication algorithm in (1.5) or (1.9), we have b a c J =
:lsi,,i2,i3sN,i,,i2,i3~Z (1.10)
The symbol on the top of each column in D indicates the variable that causes the dependence.
204
JOSE A. B. FORTES eta/.
2. The Mapping Problem The central problem addressed in this paper is that of mapping an n-dimensional algorithm into an m-dimensional processor array where m In - 1. While the examples of this paper emphasize the case of linear arrays (i.e., m = l), the technical discussions are valid for larger values of m, i.e., our techniques are applicable to processor arrays of arbitrary dimension. The mappings of interest are linear in nature and characterized by a mapping matrix of the following form:
suzh that the computation indexed by f i s executed at time n f b y processor SZ. The vector l 7 is called the time schedule vector, and S, the allocation
matrix. Valid mappings must satisfy the following conditions: 1. Causaiity--IzD > 6. This condition ensures tfie correct ordering of computations so that a Somptation at index Z is never executed before a computation at Z - dj, j = 1, ...,r, i.e., a computation never takes place before its operands are available. 2. Routability-SD = PK. P E ZmX"is the matrix of interconnection primitives of the processor array and K E Z W X m is defined in such a way that W
ki,j IIIij, i= 1
j = 1,
...,r.
(2.2)
The matrix P describes the array connectivity. For example, an array in which each processor is connected to the four nearest east, south, west, and north neighbors has P =
[
0 0 1-1
1
1-1 0 0 -
A linear array where each processor has connections to its left and right neighbors has P = [ l , -11. The term ki,j represents the number of times the primitive: must be used to route the datum associated with the dependence dj. This sum must be less than or equal to the interval of time between generation and consumption of the datum in order for the processor array to be able to implement the time schedule vector n.
zy=
ALGORITHM-SPECIFIC PARALLEL PROCESSING
205
3. Conflict-freecomputations-for all 17, E J , if 17 # then T< # T g . This condition guarantees that no processor has to execute more than one computation at any given time. 4. Rank compatibility-rank(T) = m + 1. This ensures that the algorithm is mapped into an array of rn dimensions, since rank(T) - 1 is the dimension of the array derived from T.
g,
Additional constraints are possible but are not considered here. They depend on implementation requirements. For instance, Lee and Kedem (1988, 1990), Ganapathy and Wah (1992a,b) (to be discussed in Sections 5 and 6), and Xue (1993) have introduced constraints that guarantee that data collisions do not occur in communication links. The execution time that results from using mapping matrix T is given by
t
=
rnax(n(X -
&:<,K
E
J ) + 1,
(2.3)
which reduces to n
+C
t=1
I~jl(Nj- l j )
(2.4)
j= 1
when index set J is constant bounded; that is, J is of the form J = [ [ i , , ..., in]‘:lj
I
ij
I
Nj,ij E Z , j
= 1, ..., n),
(2.5)
where l j and Njcorrespond to the constant lower and upper bounds of the j t h loop, respectively. An important property of (2.4) is that the total execution time is a monotonically increasing function of Inj I, j = 1, ...,n (O’Keefe and Fortes, 1986; O’Keefe et al., 1991; Li and Wah, 1985). This fact implies that it is not possible to reduce the absolute value of any of the entries of the optimal time schedule vector n without obtaining an invalid mapping. When rank(T) = n, computation conflicts can be avoided by ensuring that T is nonsingular because the mapping described by T is then injective. H_oweve;, when rank(T) = m + 4 < n,+it is always possikle t,o have TI, = TZ2 for two different points Z , and Z, (or equivalently T(I, - I*) = 0), and if these points belong to the index set, a conflict occurs in the corresponding computations. To ayoid conflicts, it is desirable to use a mapping matrix-T such tha_t for any Z E J and any nonzero integer solution y’ of Ty’ = 0, the point Z + y’does not belong to J.Jt is easy to show that we need to consider only those solutions of T f = 0 whose entries are relatively prime, i.e., gcd(y, , ,.., y,,) = 1 These solutions are called co_nf,ic
.’
’ gcd(a, , ..,a,) denotes the greatest common divisor of integers a , , ...,a,, . ,
206
JOSE A. B. FORTES e t a / .
0
FIG. 1 . Nonfeasible and feasible conflict vectors f, and
f2.
the vector y' is a feasible conflict vector; otherwise, it is nonfeasible. If all conflict vectors of a mapping matrix T are feasible, the mapping is computation conflict free. This concept is illustrated in Fig. 1, which shows a two-dimensional index 0 I'li 6,O Iil I3 , i l , iz E 2).For the conflict vector set J = ( [ i l , = [2, l]', both I'= 0 and I'+ ql = [2, 11' belong to index set J, and computations indexed by [0, O]', [2, l]', [4,2]', and [6, 3IT are mapped to the same processor and the same execution time. Therefore, there is at least one conflict. However, for conflict vector &+= [2, SIT, there _will be no conflict at all because for any arbitrary Z E J, we have I + qz 4 J. Intuitively, if the vector [2, 51' is drawn with one end at [0, 01' (or at any other index point of the index set), the other end is outside the index set, and the vector [2, 51' does not meet any integer points in the index set. Therefore, the mapping with this ?is conflict free. As another example, consider a four-dimensional algorithm (J,D ) , where +-+ J= ( Z : Z E Z ~ , O ~ ~ 1,..., ~ I4). ~ , ~ = (2.6) Assuming that this algorithm is to be mapped to a one-dimensional (linear) processor array, one possible mapping matrix is
'1
T = [ '0 1 8 1 '
(2.7) +
Consider the following solutions of Tf = 6: TI = [0,8, - 1, OIT,+yz= [O,O, 1, -8]', and f3 = [0, 1,0, -11'. Clearly, 7'7,= Tfz = T& = 0, and the greatest common divisor of their entries is unity. So ql, f2, and F3 are the conflict vectors of the mapping matrix T.+However, the vector [0,2,0, -2I'is also a solution of the equation Tf = 0, but is not a conflict
ALGORITHM-SPECIFIC PARALLEL PROCESSING
207
vector of the mapping matrix T because the greatest common divisor of its entries is not unity. The conflict vectors yl and 7' are feasible because for any arbitrary index point r ' J, ~ we have r'+ 6 @ J , j = 1,2. The conflict vector y3 is not feasible because for index point r'= [0, 0, 0, 1IT E J , we have r'+ & = [0, 1 , 0, OJT E J. Therefore, T has computational conflicts. It is not practical to check that every conflict ve+ctor 7 of a mapping matrix T is feasible (this involves checking that I + y is not in J for every computation r'of the algorithm). Therefore, conditions under which T is conflict free are discussed in the next section. In Section 4 the problem of finding optimal conflict-free mappings given an allocation matrix is addressed.
3.
Computation-Conflict-Free Mappings
For constant-bounded algorithms of size Nj - lj (see (2.5)), it is simple to show that a mapping matrix T is conflict free if and only if every conflict vector ?has at least one entry yj such that yj > Nj - lj (Shang and Fortes, 1992). However, it is desirable to express these conditions in terms of the time mapping vector ll so that it is possible to use the conditions in order to select the optimal schedule. To understand this concept, we first discuss the easiest case of m = n - 2. Let II E 2 l x ns, E z ( ~ ,-and ~ runk(S) ) ~ ~= n - 2. Consider the following equation
We first assume that runk(T) = n - 1. Later in this section, we give conditions on II that guarantee runk(T) = n - 1 . Clearly, there is only one linearly independent solution of (3.1). Without loss of generality, let T = [B, 61, where B contains the first n - 1 columns of T , runk(B) = n - 1, and Lis the last column of T . Also, let B* and det(B) be the adjugate matrix and determinant of matrix B , respectively (Strang, 1980, p. 170). Then all the solutions of (3.1) can be expressed as
- B*g det(B) where 1is a constant.
,
(3.2)
208
JOSE A. 6.FORTES e t a / .
If the first nonzero entry of a conflict vector is assumed to be positive (which does not entail any loss of generality), then for the mapping matrix T Z ( n - l ) x n , there is only one unique conflict vector (otherwise, - y' would also be a conflict vector). This unique conflict vector y'is expressed by (3.2), where Iz is such that y'is integral, its entries are relatively prime, and the first nonzero entry is positive. If this unique conflict vector is feasible, the corresponding mapping is conflict free. In addition, if II is such that there exists a nonzero entry f i ( n l ,...,n,), 1 Ij In, runk(T) = n - 1 because fi(n1, ..., n,) is the determinant of the submatrix of T consisting of all but thejth columns of T (Strang, 1980). Ideally, the functions fi in (3.2) would be linear, and the feasibility constraints mentioned above ( I y j l > Nj - 4 for some j ) would allow the identification of an optimal mapping by solving an integer linear programming problem. It turns out that if the allocation matrix S is known, fi, j = 1, ...,n, are indeed linear functions of q , 1 = 1, ..., n. This is illustrated by the following example.
Example 3.1. Consider the matrix-multiplication algorithm. If the space allocation matrix S is chosen as [1, - 1,01, the mapping matrix T and its conflict vector Yare T = [
711
-' 712
'1,
713
?=A[
713
7r3 -@I
+ 712)
It is clear that Ty' = 6. If II is chosen such that n3 # 0 or 71, r ~ n k ( T=) n - 1 = 2.
1.
(3.3)
+ n2 # 0, then
Consider now conditions for the general case where m I n - 2. In these mappings, T E Z ( m + l ) x ,n T =
[ i],
ll E Z l x n , and S E Zmx". Consider
again (3.1). If rank(T) = m + 1, there are n - (rn + 1) linearly independent solutions of (3.1). Let q1,.. ., Y , , - ( ~ + ~ )be the linearly independent integral solutions of (3.1) whose entries are relatively prime. All solutions y' of (3.1) can be represented as the following linear combinations: -t
v,
r'= A l r i +
-t
+ An-(m+l)Yn-(m+l)*
(3.4)
Clearly, , ..., Y , - ( ~ + are conflict vectors of T. In general, the mapping matrix T has more than n - (rn + 1) conflict vectors when m c n - 2 because a linear combination of these n - (m + 1) conflict vectors may represent a different integral vector, whose entries are relatively prime, and, therefore, is another conflict vector of T. This new conflict vector may or may not be feasible. Thus, unlike the mapping matrix T E Z ( n - l ) x -t
ALGORITHM-SPECIFIC PARALLEL PROCESSING
209
described earlier in this section, we cannot guarantee that all conflict vectors of T are feasible even if the n - ( m + 1) linearly independent solutions 6, j = 1, ..., n - ( m + I), of the equation Ty' = 6 are all feasible. This is illustrated by the following example.
Example 3.2. Consider the algorithm with the four-dimensional index set in (2.6) and mapping matrix T in (2.7). Let = [0,8, - 1, OITand = [0, 0, 1 , --8lT. Clearly, Ty', = TF2 = 6, and and y2 are linearly independent and are feasible conflict vectors of T. Let 7 = y'1/8 + j$/8 = [0, 1 , 0, - 1IT. The vector y'is also a solution of the equation Ty' = 6 whose entries are relatively prime and, therefore, is a conflict vector of T. Because none of the absolute values of the entries of y' is greater than the corresponding dimension size Nj - 5 = 7, y'is not feasible in the sense discussed at the beginning of the present section. Therefore, as already mentioned, for a given mapping matrix T E Z ( m + l ) x nwith m < n - 2, there are possibly more than n - ( m + 1) conflict vectors, and T may not be conflict free even if there are n - ( m + 1) linearly independent feasible conflict vectors of T.
v2
Example 3.2 brings out the difficulties involved in making all the conflict vectors of a mapping matrix T feasible. Nonfeasible conflict vectors can result from rational linear combinations of the n - ( m + 1) linearly inde. .., Y , , - ( ~ +,) (as is illustrated by y' = pendent feasible conflict vectors 71/8 + ?2/8 in Example 3.2). However, there is another way of selecting the n - ( m + 1) linearly independent conflict vectors of T such that the constants A j , j = 1 , ...,n - ( m + l), in (3.4) must be integral in order for ? t o be integral. As we now explain, the Hermite normal form (Schrijver, 1986, p. 45) of the mapping matrix T can be used to achieve this. For any matrix T E Z ( m + l ) xwith n runk(T) = m + 1 , there exists a unimodular2 matrix U E Z n X nsuch that TU = H = [L, 01, where 0 denotes a zero-entry matrix, and L E Z ( m + l ) x ( m +is' ) a nonsingular and lower triangular matrix whose diagonal elements are positive and each of whose diagonal elements is the maximum of all the absolute values of the elements in that same row (Schrijver, 1986, p. 45). The matrix H is called the Hermite normal form of T. For the purpose of this paper it is enough to know that T can be transformed into a lower triangular matrix [L, 01 by right multiplication of a unimodular matrix U . It is not required that each diagonal element of L be positive or be the maximum of all the absolute values of the elements in that same row. -I
' A matrix is unitnodular if and only if it is integral and the absolute value of its determinant is unity.
210
JOSE A. 6.FORTES e t a / .
For a given mapping matrix T, let H be the corresponding Hermite normal form and T = HV, where V = U-’, U = [GI, .;, G,,],+and V = [GI , ..., ;,I. Equation (3,l) can be rewritten as HVy’ = 0. Let /3 = Vy’ = [PI,...,pnlTand y’ = (I/? Then . the following theorem is true (Shang and Fortes, 1992). Theorem 3 . I . 1. H B = o ’ i f a n d o n l y i f p , ,...,B,+, are+allzero. 2. The vector f is integral if and only if8 is integral.
3. The vector y’is a conflict vector of the mapping matrix T if and only if
(3.5)
where pi,j = m + 2, ...,n, are arbitrary integers that are relatively prime and not all zero. What Theorem 3.1 implies is that all the conflict vectors of the mapping matrix T can be represented by ( 3 . 9 , where @ m + 2 , ...,& are arbitrary integers that are relatively prime and not all zero. Notice that a nonintegral value of any one of the Bm+2,..., pn results in a nonintegral vector according to Theorem 3.1. Hence, in this representation, we can avoid the case where a new conflict vector of T is obtained by a nonintegral linear combination of the n - ( m + 1) linearly independent solutions of (3.1).
Example 3.3. The Hermite normal form of the mapping matrix T in (2.7) is T U = H = F 01 0 0 0], 0 where 1 - 1 0
U=[:
0
0
0 -8 - 1
~
~
1
and
0 V=U-’=[ 0
1 1 0
8
1 8 1
0 -1 -8
’ 1 0 0,
All the conflict vectors of T are integral combinations of the third and fourth columns of the matrix U as follows:
21 1
ALGORITHM-SPECIFIC PARALLEL PROCESSING
? = [ - a -;I[: 0
0
, 14
where p3 and /I4 are integers that are relatively prime and are not both zero. The Hermite normal form of T provides a convenient representation of all conflict vectors. The following two theorems provide necessary conditions for conflict-free computations based on the entries of the matrix U. This matrix can be computed in polynomial time (Kannan and Bachem, 1979) and when the allocation matrix S is known, it is possible to express the entries of I/ as functions of the time schedule n. Theorem 3.2, Let vi,jbe the entry of a matrix V a t the ith row and the j t h column. If the mapping matrix T is conflict free, at least one of its first m + 1 entries of each and every column of V must be nonzero; that is, the follo wing conditions hold:
( V I ,f~ O V V 2 , i
# O V * * . V V m + ~ ,#I O)A
(V1.2
f 0V
(Vl,,
# 0 v V 2 , , # 0 v *..
...
Theorem 3 . 3 .
V2,2
f OV
*.*
V
Vm+1,2
v V,+I,"
# 0) A
(3.6)
f 0). +
If the mapping matrix T is feasible, iim+2,..., u, are
feasible conflict vectors. It is also possible to derive sufficient conditions for conflict-free computations based on the Hermite normal form of T (Shang and Fortes, 1992). However, necessary and sufficient conditions for conflict-free mappings are much harder to derive and remain an open problem when m < n - 2. Instead, a procedure reported in our previous work (Yang et al., 1992) can be used to test for computational conflicts. This procedure is based on the fact that it is possible to reduce the problem of conflict detection to that of checking if a convex polyhedron contains integral points.
4. Time-Optimal Mappings without Computational Conflicts We now present two different approaches for selecting optimal time mappings l7 given a space allocation matrix S. In other words, we show how to schedule the computations of an algorithm after they have been allocated
21 2
JOSE A. B. FORTES e t a / .
to processors. One approach employs a method we have developed earlier (Li and Wah, 1985; O'Keefe et al., 1991; O'Keefe and Fortes, 1986) to intelligently search a solution space in an efficient manner. A second method uses integer linear programming augmented with heuristics, which we illustrate in this section using as an example the matrix-multiplication algorithm. We now briefly discuss the first approach and explain in more detail in Sections 5 and 6 when we present the parameter method. The fact that the execution time of a schedule II is a monotonic function of the absolute values of the entries of H can be used to devise an efficient search of the solution space. The basic idea is to enumerate all the possible values of H in increasing order of the sum of the absolute values of its entries (this assumes the index-set bounds are the same for every dimension; simple modifications can be made to deal with the general case [Shang and Fortes, 19921). This search method guarantees that the first feasible solution is optimal because of the monotonic increase in execution time with increasing absolute values of the entries of H. By feasible, we mean that T satisfies the conditions of causality, routability, freedom of computational conflicts, and rank compatibility. As discussed in the previous subsection, freedom of computational conflicts can be easily tested when T is (n - 1) x n in O(n) time. In the general case this method has complexity O((2N + 1)"), where N = min(Nj - 4:j = 1, ..., n). More efficient search methods may make use of the necessary conditions provided in the theorems in the last subsection. We have studied several techniques of reducing the search complexity (Yang et al., 1992). Examples include starting the search at the lower bound of the sum of the absolute values of H instead of when the sum is one. The problem of selecting an optimal schedule for the case T E Z("-l)xn can be formulated as an integer programming problem as follows. n
minf=
c Injl(Nj - 4)
(4.1)
j= 1
(1) IID
> 0' W
subject to
1k,,j 5 ll4,j = 1, ..., r i= 1 (3) existingj E (1, ...,n),Ifi(n,,..., n,)l > Nj - 4 (4) n E ZLxn (2) SD = PK and
where T=
[ ;Fly
(4.2)
ALGORITHM-SPECIFIC PARALLEL PROCESSING
21 3
S and P are given, andfi, j = 1 , ..., n, are as defined in (3.2). As discussed previously, constraint 3 guarantees freedom of computational conflicts and implies that rank(T) = rn + 1 . Constraint 2 is not required if a new processor array is specially designed for the algorithm, or yields linear constraints if P is known. Constraint 3 in (4.2) is linear because T Z(n-I)xn , i.e., the dimension of the algorithm is reduced by one. The formulation in (4.1) and (4.2) is, therefore, an integer piecewise linear programming problem if, as is in the next example (4.1), constraint 1 in (4.2) requires xi > 0, j = 1 , ..., n. This relaxes the absolute-value requirement in the objective function in (4.1). Further, this integer piecewise linear programming problem can be converted to a piecewise linear programming problem for some applications, as illustrated in Example 4.1. We can add one more constraint, that gcd(f,, . . . , f n ) = 1 , where 4, j = 1, ..., n, as defined in (3.2), to the formulation in (4.1) and (4.2) to guarantee that the greatest common divisor of the resulting conflict vector will be unity. However, this makes the problem more difficult t o solve. Hence, we ignore this constraint and check the feasibility of the conflict vector of the resulting solution after the solution has been found. In other words, the conflict vector may not be feasible after the common factor of its entries is removed (Shang and Fortes, 1992). In general, integer programming problems are NP-complete (Schrijver, 1986, p. 245). However, there are two approaches in which this optimization problem may be solved efficiently. First, for each fixed natural number n, there exists a polynomial-time algorithm that solves the optimization problem in time that is a polynomial function of the number of constraints and a logarithmic function of the problem-size variables Nj - 4 , j = 1, ..., n (Schrijver, 1986, p. 259). Since in our case, n, the dimension of the recurrence equation, and the number of constraints are relatively small, the optimization problem formulated in (4.1) and (4.2) can be solved efficiently. Second, given that the objective function is convex, the optimal solution to the integer linear programming problem of (4.1) and (4.2) is the same as that of the corresponding linear programming problem (with integrality constraints removed) if the solution at the extreme points are integral. This is the method we have used in finding the optimal solution in the following example.
Example 4.1 . Consider the matrix-multiplication algorithm and space allocation matrix S = [ l , - 1 , O l . Its dependency matrix D and index set J are shown in (1.10). To satisfy constraint 1 in (4.2), each entry of the linear schedule vector ll must be positive, i.e., nj z 1, j = 1 , .. ., 3. Therefore, the problem of finding an optimal linear schedule vector for the matrix-multiplication algorithm is formulated as an integer piecewise linear
214
JOSE A. B. FORTES e t a / .
programming problem: min f = N(al + a2 + n3)
‘i
(1) nj’
subject to
l , j = 1,2,3 W
(2) SD
=
-t
ki,j In d j , j = 1,
PK and
..., 3
(4.3)
i= 1
(3) a3 L N, or a, + a2 L N (4)
n E ZIX3
where the inequalities in constraint 3 are derived in Example 3.1 and shown in (3.3). A linear systolic array is to be designed specially for the matrixmultiplication algorithm. Thus, constraint 2 in (4.3) can be ignored. Actually, if one insists on having near-neighbor connections, constraint 2 yields the constraints R, L 1 , a2 2 1 , and a3 L 0. This is true because if P and K are chosen as [ l , - 1 , O l and Z (the identity matrix), respectively, SD = SI = [I, - 1 , O l = PK = [ l , -1,OlZ. In fact, these constraints are subsumed by constraint 1. For an integer linear programming problem with convex solution set, if all its extreme points are integral, one of the extreme points is the optimal solution of that problem (Schrijver, 1986, p. 2321. The solution set of the integer programming problem in (4.3) is not convex because of constraint 3, although all the extreme points are integral. One way of solving this problem is to partition the solution set into two disjoint convex subsets and find all the local optimal solutions for all the disjoint solution subsets. If the local optimal solution with the smallest value of the objective function is satisfactory, it is the optimal solution of the integer programming problem in (4.3). w The integer piecewise linear programming problem in (4.3) can be decomposed into two integer linear programming subproblems as follows:
( I ) min f = N(nl
+ n2 + a3)
(4.4a)
((1) a j i 1 , j = 1,2,3
subject to
(ZZ) min f
(2) a3 1 N (3) a1 + 712 IN ((4) n E ZIX3
= N(n,
+ n2 + a3)
(1) a j 2 l , j = 1 , 2 , 3 (2) a, + a2 1 N (3) n E ZIX3
(4.4b)
ALGORITHM-SPECIFIC PARALLEL PROCESSING
21 5
Each of these problems is an integer linear, programming problem with convex solution set. We can check that every extreme point of these convex sets is integral. Each extreme point is the solution of three of the following five equations: 7r1 = 1 , 7c2 = 1 , 7r3 = 1 , n3 = N , and 7r1 + 7r2 = N: There are five such solutions from these five equations that satisfy ID > 0 as follows: II, = [ l , 1,N], 112 = [1,N - 1, 11, 113 = [1,N - 1,N], 114 = [N - 1 , 1 , 11, and II, = [ N - 1 , 1 , N]. The extreme points with the shortest execution time are 112 and n4.The conflict vectors for 112 and 114 are, according to (3.3), [l, 1 , -NIT, which is feasible because the absolute value of the third entry of the conflict vector is greater than the corresponding size N - 1. So both II, and 114 are feasible and optimal because their conflict vectors are feasible, and they have the shortest execution time. If we choose II, , the total execution time is t = ( N - 1)(1 + N) + 1 = N 2 according to (2.4), and N - 2 buffers are needed between the two PEs on since the link of data A induced by the dependency
z2,
+
3
II2d2- x k j , = N - l - l = N - 2 . j =I
Figure 2 shows the block diagram of the linear array for multiplying two 4 x 4 matrices ( N = 4). Figure 3 shows the execution of the matrix-
multiplication algorithm for the corresponding mapping matrix
-
The computation cil,iz= c~,,,~ + 2il,i3 bi3,i2 indexed by I = [il,i2, i31Tis executed at processor [l, - 1 , O ] I and at time [ I , 3, l]?. By inspecting Fig. 2, we can confirm that there are no computational conflicts. Two buffers are needed between the two PEs on the link for data A , or for dependency vector The total execution time is 16, and the total number of PEs is 7. As shown in Fig. 2, two data links are used, one for data A traveling from left to right and one for data B traveling from right to left. Data C are stationary and PE,, -3 Ii I3, computes c~,,,~ such that i, - i, = i. (For example, PE, computes cl,, , c ~ , q~ 3 , ,and c4,4.) 4
z2.
...
-
PE C
4
B
.
...
PE C
FIG. 2. Block diagram of the linear array for matrix multiplication.
*
21 6
JOSE A. B. FORTES e t a / .
PE-3
PE-2
PE-1
5 6
7 8
9
10 11 12 13
la11 14 4b14 1c14 1 a12 15 4 b24 2c14 la13 16 4b34 3c14 1 a14 17 4b44 4c14 18 19
Time
20
la11 3h13 1 c13 la12 3b23 2c13 1 n13 3h33 3c13 1 i114 3b43 4c13 2;121 4b14 1 c24 2a22 4b24 2c24 2L!3 4b34 3c24 2Z124 4b44 4c24
1all 2h12 1c12 1 a12 2b22 2c12 1 :113 2b32 3c12 la14 2b42 4c12 21121 3b13 1 c23 2a22 3b23 2c23 2a23 3h33 3c23 2a24 3 b43 4c23 3a31 4b14 1 c34 3 i132 4b24 2c34 3 a33 4 b34 3 c34 3 iI34 4b44 4 c34
PEO 1a l l 1b l l 1 Cll 1 a12 lh21 2cll 1 a13 lb31 3cll la14 lb41 4cll 2a21 2b12 1 c22 2iI22 2h22 2c22 2a23 2b32 3c22 2a24 2b42 4c22 3n31 3b13 1 c33 3a32 3h23 2c33 3a33 3 b33 3c33 3a34 3b43 4c33 4 2141 4b14 1 c44 4 iI42 4h24 2c44 4a43 4h34 3c44 4 a44 4 b44 4 c44
PEl
PE2
2a21 lbll 1c21 2a22 3a31 lb21 l b l l 2c21 l c 3 1 2a23 3a32 1b31 lb21 3c21 2c31 2a24 3a33 1b41 1b31 4c21 3c31 3 iI31 3a34 2b12 1 b41 1 c32 4c31 3 ~ 1 3 2 4a41 2b22 2h12 2c32 l c 4 2 3a33 4a42 2b32 2h22 3 c32 2c42 3a34 4a43 2b42 2b32 4c32 3c42 4a41 4a44 3b13 2b42 1c43 4c42 4 a42 3 h23 243 41143 3b33 3c43 4 iI44 3b43 4c43
PE3
4a41 Ibll 141 4a42 lb21 2c41 4 a43 1 b31 3c41 4a44 1 b41 4c41
FIG. 3. Execution of multiplication of two 4 x 4 matrices C = A x B . The small block with leftmost column [i,, i z , i31Tcorresponds to the computation cil,iz= c ~ , +, u~ ~ ~. bi,,iz, ~ , which is executed at PE i, - iz and at time i , + 3i2 + i,.
~
~
ALGORITHM-SPECIFIC PARALLEL PROCESSING
21 7
The method discussed here does not guarantee absence of conflicts in data communication over the same link at the same time. We assume that there is enough bandwidth (through hardware links or virtual channels) between the communicating processors to support all the necessary data transfers. Alternatively, if data conflicts must be avoided, one must check the resulting designs for their occurrence. The designs obtained above have no data collisions if data can start to flow at any processor (or data do not have to enter the array solely from the leftmost or the rightmost processor), and data stop flowing as soon as they are no longer needed. This is true because in every column and every row of the matrix K there is only one nonzero entry kj, = 1, j = 1, ..., 3 . This means that when data pass from the source to the destination, they use the data link just once (one hop between source and destination). Data-link collisions may occur if the data use links more than once when passing from the source to the destination. For example, if the space allocation matrix S' = [ 1, 1, N] and P' = [ 1, 1, 11, to satisfy the condition SD = PK, one possible set of values for K is k , , , = k2,,= 1, k3,3= N, and ki,j = 0, i # j . Thus, the distance between the source and destination for data C is N PEs and data C will take N hops over the third link in the processor array, or the link for C to reach the destination. Suppose PEj, j = 1, .. .,N, are sending data xi,j (corresponding to ci,j of matrix C) to PEj+N at time ti, i = 1, ...,N. Then at time t l , xl, is on the link between PE, and PE,. At time t,, two pieces of data x , , and x2,2are on the link between PE, and PE,, and so on. At time f N - 1, N - 1 pieces of data xl, , x2,,, . . ., x N - , ,N - are on the link between PEN- and PEN. So link collisions exist after time t , . This is caused by k3,3= N. As shown in Fig. 3, there is no link collision for the particular case N = 4 illustrated above.
,
,
,
5.
Parameter-Based Methods
In the previous section, we described a dependency-based approach (DM) for mapping algorithms to processor arrays. The approach is general and can synthesize processor arrays for algorithms with uniform as well as nonuniform recurrences. In this approach, a desired mapping can be found by determining the elements of a transformation matrix T. Since these elements have to be integers, finding an optimal design requires, in the general case, solving at least an integer linear programming problem. To reduce the complexity, the allocation matrix S can first be chosen heuristically, after which an optimal schedule vector FI is found. For instance, an allocation matrix that uses a small number of processing
21 8
JOSE A. B. FORTES et a/.
elements can be used, and a design that minimizes the completion time can then be obtained on the basis of the matrix. A more efficient design can be found if the designs are restricted to the case of recurrences with uniform indexing functions. In the next two sections, we present a parameter-based approach for mapping such recurrences. The thinking behind this method is as follows. It is known that the semantics of systolic arrays can be formally described by uniform recurrence equations, i.e., systolic arrays are isomorphic to uniform recurrences. This implies that as long as the computations defined by the uniform recurrences are well-formed, there is a direct mapping from the recurrence to the systolic array. In fact, this mapping is equivalent to a linear transformation of the index set. Hence, for a linear mapping, the time (respectiv_ely, the distance) is constant between execution of _any two points I, and I, in the index set separated by a dependen5 vector d, where = + 2. Thi5constant is equal to lid' (respectively, S d ) independent of the index points I, and & . For recurrences with uniform indexing functions (i.e., uniform recurrences and uniformized linear recurrences), the dependences are constant vectors and homogeneous (i.e., the set of dependency vectors at any one point in the index set is the same as at any other point in the index set). Thus, the computation of the recurrence on the processor array is periodic in time and space along the dependency directions in the index space. This periodicity is succinctly captured and exploited in the parameter-based approach that we shall discuss in the balance of this paper. In other words, parameter-based methods employ a different representation that captures the above periodicity, making it possible to find the optimal target array in an efficient manner. Work on parameter-based methods was first done by Li and Wah (1985) for a restricted set of uniform recurrences. They considered, in particular, three- and two-dimensional recurrences and mapped them to two- and onedimensional arrays, respectively. The structure of the recurrence was such that the dependency vectors were unit vectors and the dependency matrix an identity matrix. This was an important initial step in obtaining optimal processor arrays efficiently. This array-synthesis technique using parameters was considerably extended and generalized subsequently into a general parameter method (GPM) (Ganapathy and Wah, 1992a,b). Here the recurrence model was a general n-dimensional recurrence instead of a specific three-dimensional recurrence. The target arrays are also permitted t o be of any lower dimension m (where rn < n). It is assumed that the processing elements are equally spaced in tn dimensions with unit distance between directly connected processing elements; buffers between directly connected processing elements, if any, are assumed to be equally spaced along the link.
17
K
ALGORITHM-SPECIFIC PARALLEL PROCESSING
5.1.
21 9
Parameters
In GPM, the characterization of the behavior, correctness, and performance of a systolic array is defined in terms of a set of scalar and vector parameters. The crux of GPM is the characterization of the behavior, correctness, and performance of a systolic array by a set of vector and scalar parameters. When a uniform recurrence is executed on a systolic array, the computations are periodic and equally spaced in the systolic array. GPM captures this periodicity by a minimal set of parameters, which is defined as follows. Parameter 1: Periods. The periods capture the time between execution of the source and sink index points of a dependency vector. Suppose that the time at which an index point I' (defined for+the uniform recurrence equation) is executed is given by a function rc(Z), and let the period of computation tj along the dependency direction ijbe defined as follows:
+ d j ) - rc(Z),
-
tj = r,(Z
+
-
i
4
j = 1,2,
..., r.
(5.1)
The number of periods defined is equal to r, the number of dependencies in the algorithm. In terms of DM, period tj satisfies the following equation: -+
tj
= ndj,
(5.2)
where l7 is the schedule vector in DM. Parameter 2: Velocity. The velocity of a datum is defined- as the directional distance traversed in a single clock cycle; it is denoted 5. Since each PE is at unit distance from each neighbor, and buffers (if present) must be equally spaced between pairs of PEs, the magnitude of the velocity vector must be a rational number of the form i / j where i, j are integers and i Ij (to prevent br~adcasting).~ This implies that in j clock cycles, x propagates through i PEs a n d j - i buffers. All tokens of the same variable have the same velocity (both speed and direction), which is constant during execution in the systolic array. The total number of velocity parameters is r (one for each dependency vector) and each velocity is an m-element vecJor, where rn is the dimension of the processor array. Hence, the velocity 5 is given by d
(5.3) where is the (vector) distance between the execution_ locations of the source and sink index points of the dependency vector d j . In the notation ' A vector is characterized by its magnitude and a unit directional vector.
220
JOSE A. B. FORTES et a/.
of DM, S, the allocation matrix, is related to 4
5 and ijas follows:
+
4.. = Sdj. Parameter 3: Spacing or data distribution. Consider a variatle $Ii pipelined along the depend_ence+vectordi, 1 Ii Ir. The token ni(Z- di) is used at the index points Z + tdi , t =..., -2, - 1 ,0,1 ,2, ..., in computing the recurrence. In other words, the token through processors that use the variable Cli at the index points (?+ tdi). Consider another token a,(?- dj)of the same variable sZi used at index points (i-dj + t$i), i # i. The directional distance in the processor space from token ni(Z - d j ) to token Q(Z - di) is defined as a spacing parameter4 $ i , j . Since there are r dependency vectors d i , 1 Ii Ir, there are r - 1 nontrivial +spacing + parameters for each variable and a single trivial spacing parameter SA = 0. These denote the r distances for variable i: Q(iQ i ( Z - &), i , j = 1, 2, ...,r. Each spacing parameter Si, is an m-dimensio_nal vector, where m is the dimension of the processor array. The notation S i , j denotes that it is the j t h spacing parameter of the ith variable. A total of r(r - 1) nontrivial spacing paraTeters are defined. To compute &, , con_sidef the movement of token Qj(Z of variable nj from index point ( I - d j ) to index point ? with velocity 5. In the notation of DM (based on (5.3) and (5.4) and Theorem 5.1),
mazes
.-I
4)
+
3)
The total number of parameters defined is r x (r + 2), of which r are periods (scalars); the remaining rz + r parameters are m-dimensional vectors, of which r are velocities and r2 are spacings (and r of these spacings are trivially zero).
Example 5.1. Consider a three-dimensional recurrence with n = 3,
r
=
5,
Z ( k , i, j) = X ( k , i)Y(j, k) + Z(k - 1, i
+ 1, j + 1)
+ Z ( k - 1, i + 1, j ) + Z ( k - 1, i, j + 1).
(5.6)
After pipelining, (5.6) becomes Z(k, i, j ) = X ( k , i, j - l)?j(k,i - 1, j) + Z(k - 1, i
+ 1 , j + 1)
+ Z(k - 1, i + 1, j) + Z(k - 1, i, j + 1).
(5.7)
Spacing parameters in GPM are denoted by S , whereas the processor-allocation matrix in DM is denoted by S.
22 1
ALGORITHM-SPECIFIC PARALLEL PROCESSING
Let +
I
(i,j, k)',
=
= ( O , O , l)T, +
(7,
(0, 1.
=
d3 = (1, -1, -l)T,
O)T,
+
+
d, = (l,O, -l)T.
(1, -1, O)T,
d4 =
Rewriting the recurrence in the functionally equivalent form, Z(r'> = X ( i - (7,) x
Y(f- (7,) + Z(f- 23), a4cT- i4), a,
we obtain
a,(?)= z,
(5.8b)
i = 4,5,
where a, are dummy variables. Each dependence is now associated with one variable. The dependence vectors, collected into a matrix, are
[; 0
0
1
1 - 1 -1
0 -1
D=
"1
1
0 -1
3 C y z z z
(5.9)
The parameters defined are as follows. The variables X,3, 2 , a3,and
a, have periods + t , , t, , t , , t 4 , and t 5 ,respectively, and velocities 6 , V, , 6 , + b,and V,, respectively, where t,
=
rc(k,i , j )
-
rc(k, i , j - 1)
t2 = rc(k, i, j ) - rc(k, i - 1,j )
rc(k - 1, i
+ 1 , j + 1)
t, =
rc(k, i , j )
t4 =
r c ( k , i , j ) - rc(k - 1 , i + 1 , j )
t, =
rc(k,i, j ) - rc(k - 1, i, j
-
(5.10)
+ 1).
+
+
.+
There are 25 spacing parameters S i , j , i, j = 1 , 2 , 3 , 4 , S , + ~ i t h . + S,=~0., ~ For i_nstance,consider the spacings of the first variable X:S,,,, S,,,, S,,4, and These are defined as the distances ( X ( k , i, j - 1)
-+
X(k,i
-
l,j)),
+ 1 , j + l)), + 1, j)), ( X ( k ,i , j - 1) -, X ( k - 1, i, j + 1))
( X ( k , i , j - 1) .+ X ( k - l , i ( X ( k ,i, j - 1) -, X ( k - 1, i
j.
222
JOSE A. B. FORTES e t a / .
and
respectively. Using the indexing function of ‘X, correspond to the distances (X(k, i ) --* X(k, i - l)),
+ l)), X(k - 1, i + l)),
(X(k,i ) --* X(k - 1, i
(X(k, i) + (X(k, i ) X(k - 1, i ) ) +
respectively.
5.2 Constraints In Section 5.1, a set of r2 + r parameters was introduced to define a target systolic array. The assignment of values to these parameters defines a specific systolic array with a particular number of processors, buffers, and data-input patterns. It is also easy to see that all systolic arrays that solve a given algorithm (or uniform recurrence) correspond to some assignment of values to the parameters. Hence, choosing different values for these parameters leads to different array configurations with different performances. As a result, the problem of array design has been reduced to that of choosing appropriate parameter values. The choice of a value for one of the rz + r parameters is not independent of the choice of values for the other parameters. In this section, constraint equations relating the parameters are given such that the set of values for the parameters are meaningful and define a valid systolic array. Theorems 5.1 and 5.2 provide fundamental space-time relationships that must be satisfied by the parameters to ensure correct systolic processing. The avoidance of computational and data-link conflicts is enforced by the condition in Theorem 5.3. The theorems are provided without proofs due to space limitations. The following notation is introduced to simplify the presentation of the theorerfls.+Let ? =, Itl, t 2 , ..., t,J be a vector composed of periods, and let X = [R, ,& , ...,R,] be a matrix (of size m x r, yhere+rn is the dimension of the systolic array) composed of displacements Ri = F t i . Both T and are t x 1 column vectors. The displacement 6 is synonymous with the velocity 6 ,because the choice of one immediately deterfnines the o_ther.In searching for parameter values, we choose to consider Ri and not F.
g
Theorem 5. I . The parameters velocities, spacings, and periods must satisfy the following constraint equationsfor correct systolic processing: -+
-I
6 t i =
-I
+ Sj,i,
i , j = 1, 2,
..., r.
(5.11)
ALGORITHM-SPECIFIC PARALLEL PROCESSING
223
These constraints ensure that in computing an index point I’ at any processor in the array, all the participating data tokens must be present at the processor at the same time after moving from their respective processors where they had been used earlier. A total of rz constraints are obtained from Theore_m 5 . 1 . Let S = [ S i , j ] , i , j = 1 , 2 , ...,r , be an r x r “matrix” (actually, a mafrix of vectors) of spacings such that the (i,j)th element of the matrix is S i , j . Note that, by definition, $i,i -+= 0. Let Si be the ith “row” of this “matrix” S, i.e., Si =ISi,, , s_i,2, ..., S i , J (where S i is an m x r matrix). Since + S i , j = %ti - Ktj = Rj - Ktj from Theorem 5 . 1 , it can be written in matrix form as -
+
-
t
-t
Si
=
x - K 0 i-,
(5.12)
a’zT
where 0 is the outer or tensor product, i.e., a‘ 06 = = [aibj]. The next theorem characterizes the constraints on the periods and displacements if the dependencies in the recurrence are not linearly independent. Let g be the rank of the dependency matrix D. Therefore, 32, the null space of D, has r - g columns (since D has r columns). Let
be an r x (r - g ) matrix, where Gi, i = 1,2, ..., (r - g ) , are the basis vectors of the null space of D. Hence,
D.Gi=O, Theorem 5 . 2 .
lsis(r-g).
The periods ti and the displacements
(5.13)
are related
as follows: +
T*32=0,
(5.14)
x32 = 0,
(5.15)
where ’% is a matrix consisting of the basis vectors of the null space of D. The implication of Theorem 5.2 is as follows. If the depydency matrix D is not full rank, i.e., some of the column vectors, say dj of D, can be written as linear combinations of other column (depe2dency) vectors, the periods of computation ti (respectively, displacements Rj) along the linearly dependent column vectors can be expressed by the same linear combinations of the other periods (respectively, displacements). Thus, the conditions provided by Theorem 5.2 are additional constraints from the definition of parameters and the dependency vectors in the algorithm. Theorem 5.2 provides a total of 2(r - g ) constraints.
224
JOSE A. B. FORTES e t a / .
The following corollary can be easily derived from Theorem 5.2. The implication o f this corollary is that only g - 1 of the r spacing parameters for each variable are independent, one of them is zero, and the rest can be obtained as linear combinations of the g - 1 independent ones. Corollary 5. I . The spacing parameters Si = strained by the equations
+
+
-.. S,,,]
are con-
i = 1 , 2,..., r,
S%=O,
where 3t is a matrix consisting of the basis vectors of the Null Space of D.
Example 5.2. From Theorem 5.1, the constr2int eq;ations_for the recurrence in (5.6) (excluding the trivial constraint V , t , = V, t l + S l , l ) are Similarly, there are 16 additional equations related to K t , , V3t3,K t , , and & t s . D defined in (5.9) has rank 3. Hence, 3' 2 comprises two basis vectors.
(5.17)
From Theorem 5.2, the additional constraints are
t4 = tl
+ t3
l4= ll+ 5 --*
+ t3 i5= & + l3 tS = t2
(5.18)
In this example, there are a total of 27 vector constraints and two scalar constraints.
To summarize, a total of r2 + r vector parameters and r scalar parameters have been defined whose values have to be determined. Theorems 5.1 and 5.2 give a total of r2 + (r - g ) vector constraints and (r - g ) scalar constraints. Hence, g of the scalar parameters (periods) and g of the vector parameters have to be chosen such that the other r - g scalar parameters and the other r2 + (r - g ) vector parameter values can be determined from the chosen scalar and vector constraints. Since the performance of the design can be naturally expressed in terms of periods and displacements, our strategy is to choose the g periods and g displacements and determine the remaining r - g periods and r - g displacements from Theorem 5.2 and all the r2 spacings
225
ALGORITHM-SPECIFIC PARALLEL PROCESSING
using Theorem 5.1. Corollary 5.1 further states that only g - 1 of the r spacings are independent for each variable. All the vector parameters are rn-dimensional (with m elements). The validity of the space-time mapping is governed by the following fundamental necessary and sufficient conditions.
Precedence constraints. An index point should be executed only after all the index points on which this depends have been executed. In DM, IID > 0. 2. Computational conflicts. No two index points may be executed at the same processor at the same time. In DM, n(f,)= n(&)implies that 1.
S(6) #
S(&).
3. Data-link conflicts. No two data tokens may contend for a given link at the same time. Having established the parameters and the two basic relationships among them, we show how the fundamental conditions for validity are satisfied in GPM. By definition, periods denote the time difference between the source and sink of the dependencies. Hence, the precedence constraints are satisfied by simply enforcing ti 2 1, i = 1, ..., r. In the array model, all tokens of the same variable move with the same velocity. Hence, data-link conflicts can exist if and only if two tokens of a variable are input at the same time into the same processor and travel together contending for links. This condition is called a data-input conflict in GPM, as two data tokens may be in the same physical location and may conflict with each other as they move through the processors together. It is important to note that in GPM, computational conflicts can exist if and only if data-input conflicts occur. This can be seen by the following simple argument. If two index points are evaluated in the same processor at the same time, then, for each variable, at least two distinct tokens exist together in the same processor. Hence, if there is at least one nonstationary variable, there will be data-input conflict for the tokens of that variable. Otherwise, all the variables are stationary and the entire computation is executed on one processor, i.e., there is no systolic array. Hence, by enforcing a rule that no data-input conflicts exist, both computational and data-link conflicts are avoided. Theorem 5.3 below presents conditions under which data-input conflicts can be eliminated. Consider the spacings of variable i. Let S j be an m x (g - 1) matrix: +
-
+
+
-t
+
+
Si = [ S i , l s Si.2,
*..,
(5.19)
Si,g-ll,
where S j , ] , S j , 2 , ..., S j , g - , are g - 1 consistent spacings. Let G!,
+
8, and y’
226
JOSE A. B. FORTES e t a / .
be vectors with g - 1 integral elements. Let L k , u k , k = I , 2, ...,g - 1, be defined such that the position of all the tokens of the input matrix can be represented by ~ g k : Si, k p k , where L k I& Iu k . L k and u k are functions of the size of the input matrix.
’,
Theorem 5 . 3 . Data-input conflicts occur +in the inpui matrix of a nonstationary input i i f and only i f Sfcu‘ = 0 and cu‘ # 0 , where 2 = [a1, a 2 ,..., a g - J Tand aiE [(Li - Ui), ..., (Li + Ui)], for all i such that lsisg-1.
-
Proof. The position of any element of input i can be described as SiS, Therefore, and Li Ipi IUi. where /I= [PI,...,
-
Data-input conflicts
-
c)
S i p = S;y’,$
#
S ; ( j - y’) =
6
y’ and Li I6 , pi 5 Ui
qcu‘= 6, cu‘ = 3 - y’, ai E [ ( t i - Ui),..., (Li + Ui)], cu‘ # 6 w
Note that in Theorem 5.3, we have defined conservative bounds on ai. Better estimates can be obtained (Xue, 1993) and will result in less overhead when the conditions in Theorem 5.3 are checked in the design process.
Example 5.3. For the recurrence in (5.6), if the array sought is oned_imensio_nal,the spacing parameters are all one-dimensional scalars. Let S ,, and S be the two independent spacings for input X. We set the values of L 1 and L, to be 1, and the values of UI and U2 to be N. Therefore, according to Theorem 5.3, data-input conflicts occur in input X if and only if (5.20)
where -(N+- 1) s a l ,,a2 I(N - I ) and a I ,a, # 0. For instance, if N = 5 and S l , 2 = 6 and S I , 5= 4, we find that a I= 2 and a2 = -3 satisfies (5.20). (In one dimension, the vector spacings are positive or negative numbers.) Hence, there are data-input conflicts in input X.
5.3. Design Method The design of a feasible processor array is equivalent to choosing an appropriate set of parameters that satisfy the constraints imposed by the dependency and application requirements. The search for the “best” design can be represented by the following optimization problem:
ALGORITHM-SPECIFIC PARALLEL PROCESSING -+
227
-+
Minimize b(N, t l , ..., t,, R,, ..., R,)
(5.21)
( 1 s t j , i = 1 ,..., r,
I
-+
0 I(Rj( It i , i = 1, ..., r , Subject to: constraints defined in Theorems 5.1, 5.2, and 5.3, ( #PE 5 #PEuB and T, 5 T,"". The objective function b defined in (5.21) is expressed in terms of attributes such as the computation time of the algorithm; T o a d , the load time for the initial inputs; Grain, the drain time for the final results; and #PE, the number of processing elements in the design. Note that the completion time for evaluating the recurrence is
T, =
Tomp
+
Toad
+
Tdrain.
(5.22)
All the attributes are then expressed in terms of parameters defined in GPM. The first two constraints in (5.21) follow directly from the definition of the parameters in GPM. Since the target array is systolic, the displacements should not exceed the periods ti in order to prevent data broadcasting (velocities should not exceed one). In addition, the constraints ti 1 1, i = 1,2, ..., r, ensure that the precedence constraints are satisfied. The third constraint indicates that the recurrence is evaluated correctly by the processor array satisfying the dependency requirements (Theorems 5.1 and 5.2), and is free of data-link and computational conflicts (Theorem 5.3). The fourth constraint indicates what bounds on T, and #PE that are imposed on the design are to be obtained. For instance, the following are two possible formulations of the optimization problem: (a) Minimize T, for a design with a maximum bound on #PE and PEuB; (b) Minimize #PE for a design with a maximum bound on T, and T,"". Both of these formulations represent trade-offs between T and #PE. This is a unique advantage to using GPM as a way of synthesizing systolic arrays. Both optimization problems and trade-offs are illustrated in detail in Section 6. Another unique feature of GPM is that the formulation in (5.21) is defined with respect to a specific recurrence and a specific problem size N. This allows a truly application-specific and problem-size-specific systolic array to be designed to suit specific application requirements. In addition to the constraints we have discussed, there are other constraints that may be defined in the search process. Since, in general, the objective function is nonlinear, involving functions such as ceiling, floor, and the maximum/minimum of a set of terms, it is difficult to describe a
228
JOSE A. B. FORTES e t a / .
comprehensive algorithm that covers all possible cases. In the following, we first describe our general search strategy, after which we discuss searches with objectives that are functions of T,, camp, Grain, and #PE. We then present the search algorithm and show its application to special cases of optimizing T, and #PE. Our general search strategy takes the objective function b (assumed to be minimized) and decomposes it into two functions bl and b2 related by f as follows: +
-+
b ( N , f l ,. - - , f r , R 1 , - * * , & ) -t
= f ( b , ( t l ,* * * s f r , R I , **-,&),
--.
-.
bz(t1, * * . , f r , R I ,
-. *-*sgr)),
(5.23)
where N is not represented explicitly since it is a constant in the optimization. The decomposition is done in such a way that bl is a monotonic function of its variables (which are enumerated), and b2 is a function in which a lower-bound estimate on its value can be obtained easily. In addition, f is assumed to be a monotonically increasing function with increasing values of b2 so that a lower-bound estimate on b2 can be used to get an upper bound on b l . The search proceeds by systematically enumerating all combinations of a selected set of parameters defined in b, , and solving for the rest of the parameters by the constraints defined in (5.21) or by computing their values when the lower bound of b2 is evaluated. Every time a combination of parameters in b1 is searched, a lower-bound estimate on b2 is computed. This lower-bound estimate, together with Bincumbent , the objective value of the current incumbent design, defines an upper bound on the value of bl to be enumerated further in the search process. That is, (5.24)
Note that this equation only defines an upper bound on the value of bl to be enumerated; it does not define the combinations of parameter values of bl that can be pruned. Pruning of combinations of parameter values of bl is possible only if bl is monotonic with respect to the combination of parameter values chosen in the enumeration process. To illustrate our search strategy, consider an objective that is a function of Tamp, T&,d, Grain, and #PE as follows: = b l ( T , o m p , T o a d , Tdroin, #pE)
b 2 ( c o m p , T o a d , Tdrain,
#pE)* (5.25)
Assume that a lower-bound estimate of b2 can be obtained by setting Toad = Grain = 0, Tamp = TZkp, and #PE = #PEmi".Consider a case in which #PE is expressed as a function of IllI, ..., 151.#PE is minimal when exactly one 161is 1, and the rest of them @I,/ # i, are 0. Similarly a crude
229
ALGORITHM-SPECIFIC PARALLEL PROCESSING
TZEp can be obtained by letting all ti = 1. Hence, given Bincumbent, we have
b incumbent - byB(T,omp q m d @(romp
9
r[;md
Groin
#PE I T o a d =
qood > G r o i n
9
Groin
= O,
#pE I r o m p = c:Ep
= G r a i n = O , #PE =
#PE = #PEmin)
9
#PEmin),
(5.26)
or, equivalently, UB
Tcomp
B incumbent =
b;'
(
eB(T, Groin 9
romp 9 T m d
qmd
#pE
I romp = Komp
= G r o i n = O,
1,
#PE =m'n #PEmin)
(5.27)
where b;' is the inverse function of bl , and camp is the dummy parameter camp used in 6 , . For example, let the objective function be B = (Teomp -I-
qood
-I- G r a i n 1 2 X
#PE = b,(Teomp -I-
qood
-I-G r o i n ) X
&(#PE). (5.28)
According to (5.27), we have UB Tcomp
=
b incumbent/#PE m'n.
J
(5.29)
T Z i p is refined continuously as new incumbent designs are found in the search, and the search stops when there is no combination of t i , UB i = 1, ..., r, that satisfies KOmp ITcomp. In the following, we describe the search procedure for an objective function of the form in (5.25). Search procedure for minimizing b(#PE, T) = b(T,,,,
, T o a d , Tdroin, #PE), where camp_ is a function of t l , . . . , t,, &old and Groin are functions of + and #PE is a function of Ill[, ..., IlrI. t l , ..., t,, lRII, ..., 1. Choose g periods and g displacements to be unconstrained parameters. Without loss+of generality, we may let these periods and displacements be ti and R i , 1 Ii s g, respectively. 2. Initialize TZEp to be the computation time required to evaluate the recurrence sequentially. 3. Set the values of all the g unconstrained periods t i , i = 1, .. ,g, to be unity. 4. Choose the magnitude of g unconstrained displacements IGI, i = 1, ..., g, to be zero. 5 . Compute the values of the other dependent r - g periods and displacements using the conditions of Theorem 5.2.
.
230
JOSE A. 6.FORTES et a/.
6. Compute T::;,, using the periods and displacements found, where T::;,, is the computation time (without load and drain times) required for processing the recurrence by substituting the current values of ti, i = 1, . ,r. (Note that the design may not be feasible at exit with the incumbent design. this time.) If TZ;,, > 7. Solve for the spacing parameters from (5.11) defined in Theorem 5.1. 8. Check for data-input conflicts using Theorem 5.3 on the spacing parameters; also, check whether the constraints on T, and #PE are violated (constraint 4 in (5.21)). and repeat Steps 5, 9. If the solution is 3ot feasible, increment one 6,7, and 8 until (Rilare all equal to t i , i = 1, . ,r. If all the (Ril equal ti and no feasible design is found, go to Step 10. If a feasible design is found, go to Step 11. 10. Increment one of the periods such that T,';,, increases by the lowest possible value. Go to Step 4. 11. Compute Bcur,the objective value achieved by the current design set Bincumbent = BC"' a,"d compute TL:,, found. If Bcurc Bincumben', for the current design using (5.27). Increment one ]Ail and go to Step 5.
..
c::,,,
151
..
The worst-case complexity of the search procedure above is (T:t&,)2g, where T:t& is the time needed to process the recurrence sequentially. This bound_is true because we iterate in the worst case all combinations of ti and (Ri(Iti, i = 1, ..., r. A special case of the optimization is to find a design with minimum computation time (not including load and drain times). This is discussed in Section 4 of this paper as well as in our earlier work (Ganapathy and Wah, 1992a,b). In this case, b2 is a constant function, and bl a linear function of t , , ..., t,. Hence, the first feasible design found sets TL&, equal to T::;,, of the feasible design obtained, and the first feasible design becomes the optimal design that minimizes TCOmp. For a design that minimizes #PE, the search procedure described above needs to t e changed. In this case, b, should be defined as a function of IllI, ..., I&,\. The search should start iterating with the smallest combinations of these variables.
6. Applications of the General Parameter Method Path-finding problems belong to an important class of optimization problems. Typical examples include computing the transitive closure and the shortest paths of a graph. Two-dimensional systolic arrays for finding transitive closures have been studied extensivelyin the literature (Kung et al.,
ALGORITHM-SPECIFIC PARALLEL PROCESSING
23 1
1987; Guibas e t a / . , 1979; Rote, 1985). In this section we synthesize a onepass linear systolic array for the Warshall-Floyd path-finding algorithm. The discussion below is with respect to the transitive closure problem. The transitive closure problem is defined as follows. Compute the transitive closure C'[i,j] of an n-node directed graph with an n x n Boolean adjacency matrix C [ i , j ] ,where C [ i , j ]= 1 if there is an edge from vertex i to vertexj or i = j , and C [ i , j ]= 0 otherwise. Since the dependency structure is irregular and difficult to map, S . Y. Kung et al. (1987) converted the transitive closure algorithm into a reindexed form and mapped it to 2-D spiral and orthogonal arrays. Based on their algorithm we obtain the following five dependency vectors after pipelining the variables: i , = ( O , O , l ) T f o r ( k , i , j ) T + ( k , i , j - 1)T, 2 1 j s N ,
2, = (0, 1,O)'for (k, i , j ) T (k,i - l,j)', 2 I i IN, d3 = (1, - 1 , -1)=for (k,i,j)'+ (k - 1 , i + 1,j + l)T, +
~ I ~ I 1Ns ,i , j ~ N -1,
i4= (1, -l,O)* t&
=
8
(6.1)
for (k,i, N ) T (k - 1, i + I),N)', 2 Ik IN, 1 1 i s N - 1 , +
(l,O, -l)T for (k, N , j ) T 25k
+
(k - l , N , j + I)=,
IN,
1 IJ
I N - 1,
where r', + means that the data at point is used at point r', . For nodes on the boundary of dependenc! graph G where i = N (respectively, j,= N ) , dependency d4 (respectively, d5) is present instead-of d_ependen_cyd 3 . For other interior points, only the three dependencies d, , d,, and d3 exist. The running example discussed in Section 5 is a recurrence with the five dependencies listed above. The dependency graph of the recurrence used in example [(5.6)] is regular and homogeneous with five dependencies at each point. However, for transitive closure the dependency graph is not completely regular. Hence, control bits are used to modify the flow (or velocity) of the tokens in order to execute the dependency graph on the processor array correctly. The key observation is as follows. Matrix C (whqse transitive closure is to be found) is input aiong dep_end_encydirection d 3 . Inputs along other dependency directions d , , &, d4, d5 are nonexistent, i.e., they are never sent into the array from the external host. Hence, there are no data-input conflicts along these dependency directions as the generated outputs are sent at most once on each link in every cycle of the array. As a Lesult, we need to consider- only d$ta-input conflicts along direction d3. Since dependencies d 3 , d4,_and d5 never-coexist,
232
JOSE A. B. FORTES e t a / .
A total of eight relevant parameters are defined for tee tr$nsitive zlosure problem: thre: period; tl , tz, t,, three displacements R1, & , and R, , and two spacings S,, and S3.2. For a linear array all the parameters are scalars. Applying Theorem 5.2 and in the same ,way as in the derivation of (5.18), the periods along directions d4 and d5 _are $ven_as t4 =,fl +-t3 and ts = t2 + t,. Similarly, the displacements R4 = R, + 6, and R5 = 4 + i3. From Theorem 5.1 and (5.3), we get
We illustrate in the rest of this section five formulations of the optimization of systolic arrays: (a) T,,,-optimal designs without bound on #PE; @) T,-optimal designs without bound on #PE; (c) #PE-optimal designs without bound on T, or T,,,; (d) optimal designs with specific bounds on ZOmpor #PE; and (e) optimal designs with specific bounds on T, or #PE. Recall from Section 5 that T, = Tmd + KOmp+ Grain, and that we need to express Tmd , Tamp , Tdrain , and #PE in terms of the parameters defined in GPM. For this example, Tamp and #PE are stated below without proof (Ganapathy and Wah, 1992b). Lemma 6.1. T,omp, the computation time (without load and drain times), and #PE, the number of processing elements, for computing an N x N transitive closure in a linear systolic array satisfying the dependencies defined in (6.1) are given by
camp = (N - 1)(2t, + 212 + t3) + 1, #PE = (N - i)(llll+ + I& + & + &I) + 1.
(6.2)
(6.3) Due to space limitations, we state below without proof the equations for Toad and Tdmin. The idea behindJhe proof is to enumerate all the eight possible directions of ll, , and R3 and compute the load and drain times for each.
&
Lemma 6.2. T o a d y the load time, and Grnin , the drain time, for computing an N x N transitive closure in a linear systolic array satisfying the dependencies defined in (6.1) are given by
where if x’ and y a r e in opposite directions otherwise
(6.5)
ALGORITHM-SPECIFIC PARALLEL PROCESSING
233
For linear-array synthesis, since the spacings are scalars, let s3, = lg3,1 and ~ 3 . 2= /&I. The condition for data-input conflict (Theorem 5.3) can be refined as given in Theorem 6.1, which we state without proof. Theorem 6 . I . Data-input conflicts occur in an input matrix C if and only i;f s3 1
u
and
s3,2
- < N,
r
where ( = GCD(s3.I ,~ 3 . 2 and ) GCD(a, b) is the greatest common divisor of a and b. Table 1 shows the optimal linear designs found by the search procedure of GPM in which the objective is to minimize either camp of T,. In finding these designs, t 3 is incremented before t , or t2 in Step 10 of the search procedure presented in Section 5.3 (refer to (6.2)), since such a procedure increases qomp by the least amount. The designs in the left half of Table 1 are based on first optimizing Tamp. From the set of designs that have minimal camp, we found designs that require the minimal #PE, after which we found designs that require minimal Toad and Groin. We list T o a d , camp, Tdrain, the #PEs needed, and the CPU time used by the search procedure running on a Sun Sparcstation 10/30. The designs found are identical to the designs we have published before (Ganapathy and Wah, 1992a,b), except for the case N = 8. In our previous design for N = 8 (Ganapathy and Wah, 1992a,b), we had (tl , t 2 ,t3) = (1,2,3) and ($ , i3) = (0, -2, 1). This design was found without considering T o a d and Tdrain. As a result, it requires T o a d = Tdrain= 64 time units, which is the same as camp. In our current design for N = 8, we found a better design that requires less Toad and Grain. The designs on the right half of Table 1 are based on optimizing T,. As a result, they have less total completion time and more #PEs than those on the left half of the table. For instance, for N = 300, the completion time for the design optimizing T, requires 7% less completion time and 35% more PEs than the design optimizing camp. Note that both designs were developed without bounds on #PEs. It is important to point out that the objective used (whether to minimize camp or to minimize T,) depends on the application. If the linear processor array is used to evaluate the transitive closure of one matrix, then minimizing T, will be important. On the other hand, if the processor array is used for pipelined evaluation of transitive closures of multiple matrices, then minimizing camp may be important. More precisely, we would like to minimize the total completion time for evaluating a sequence of transitive
&,
GPM: T,-Optirnal Linear-Array Designs
GPM: T,omp-OptirnalLinear-Array Designs Min N 3 4 8 16 32 64 100 200 300
Periods
Qist-mces
(tl,t2, t3)
(kl,kz, k3)
(Twdr
T,
Tom,Designs
SS10/30 CPU sec.
,&min)
(5,133 (10.22, 10) (13,@. 13) (51, 16651) (113,435, 113) (369,1198,369) (606,2278,606) (1743,6170, 1743) (2851,11363,2851)
3 4 22
-
-
4 6 156
-
379 892 2787 5084
1 7 26
-
Min T, Designs Periods ( t l , t ~t 3 ),
SS10/30 CPU
qis@ncy
( k ~kz k,)
( T r n d 9 Tomp9 G m i n )
(3, 15,3) (4,28,4) (15~64,15) (31,181,31) (94,466994) (253, 1261,253) (496,2278,496) (1195,6568, 1195) (2393, 11363,2393)
#f'ES
3 4 22 76 218 694 1387 3782 6878
Set.
2 7 51 157
235
ALGORITHM-SPECIFIC PARALLEL PROCESSING
TABLE2.
#PE-OP’MUL LINEAR ARRAYSFOR FINDING THE TRANSITWE CLOSURE OF AN Nx N MATRLX (parameters for WE-optimal designs derived by GPM are shown in Theorem 6.2) I
Lee and Kedem (1990) Designs
( T d , To,, GmiJ
N 3 4 8 16 32
(5, 17,5) (13,31,13) (85, 127,85) (421,511,421) (1861,2047,1861) 64 (7813,8191,7813) 100 (19405,19999,19405) 200 (78805,79999,78805) 300 (178205,179999, 178205)
I
Shang and Fortes (1992) Designs
,Grain)
#PEs
5 (3, 11,3) 7 (7.19, 7) 15 (43.71.43) 31 (21 1,271,211) 63 (931, 1055,931) (3907,4159,3907) 127 199 (9703, 10099,9703) 399 (39403,40199,39403) 599 (89103,90299,89103)
3 4
#PEs
(Toad
3
Tomp
8 16 32
64 100 200 300
Designs by GPM (Toad v T o m p 9 Grain)
( 5 , 13,5) (10,22, 10) (50,78,50) (226,286,226) (962, 1086,962) (3970,4222,3970) (9802, 10198,9802) (39602,40398,39602) (89402,90598,89402)
#PEs
3 4 8 16 32
64 100 200 300
closures, which includes the total computation time of the set of matrices and the times overlapped between draining the results of the previous matrix and loading the inputs of the next matrix. Similar results on computing a sequence of matrix products can be found in Ganapathy and Wah (1993). If the objective is to minimize #PE in the linear array, then Theorem 6.2, which we state without proof (Ganapathy and Wah, 1992a,b), characterizes the #PE-optimal design. Theorem 6 . 2 . The parameters
( t l ,t z , t3) = (1,1, N
- 1)
and
,b ,13)= (0,f 1, T 1)
or (f1, 0 , f 1) result in a linear array with a primary objective of minimizing the number of PEs, and a secondary objective of minimizing the computation time. 8
Table 2 shows the #PE-optimal designs obtained by GPM as well as those obtained by Lee and Kedem (LK) (1990) and Shang and Fortes (SF) (1992). In this table, we show the load and drain times, computation time, and #PEs for designs derived by the three methods. ll (the schedule vector), S (the PE allocation matrix), and the corresponding parameters in GPM are summarized as follows: Method LK SF GPM
n
S
(tl I t, 9 1,)
[2N - 1,2,1]’ 1, ]IT [N + 1 , I , 11’
[O, 1, 1IT
(1,2,2N - 4) (l,l,N-2) ( 1 , I . N - 1)
(0,0,-1IT [O,O, - 11’
(R;
9
Ji2,
a;)
(1, 1, -2)
(-1.0,l) (-1,O.l)
236
JOSE A . B. FORTES et a/.
The GPM parameters are computed based on (5.2) and (5.4) assuming the dependencies are d, = [0, 0, 1IT, d2 = [0, 1 ,,']O and d3 = [I, - 1 , -llT. Table 2 shows that both the SF and GPM designs require the minimum number of PEs. The SF designs, however, were developed based on a different set of parameters. According to Lemma 6.1, the SF designs have a computation time camp = ( N - l)(N + 2) + 1 . This computation time is lower than that of the GPM designs characterized by Theorem 6.2. This difference is attributable to the fact that Shang and Fortes assumed that conflict must be avoided only after a variable is first used and before its last use or generation. This is a valid assumption for systems with fast 110 (or where each PE has its own I/O) or in cases where inputs are preloaded and outputs need not be drained or are postdrained. In GPM, we consider both conflicts in computation as well as in the data links. Excluding designs that result in computational and data-link conflicts results in designs that require slightly longer load, drain, and computation times. To illustrate this point, consider the case for N = 3 and N = 4. The periods and vel_ocities used in the SF design_(Shang and Fortes, 1992) lead to spacings S 3 , 1 = ( N - l)/(N - 2) and S3,2= 1/(N - 2). These values of spacings result in data-input conflicts between the tokens (Cl,j,C N - l , j - land ) (Cz,jC , N,j-l), j = 2, 3, ...,N , of the input matrix C (Theorem 6.1). The space-time diagrams of two linear arrays, one optimizing camp and the other optimizing &, for N = 3 are shown in Figs. 4 and 5 , respectively. The design in Fig. 4 optimizes camp and has the parameters ( I l , f2, t3) = ( 1 , 1,2) and (il ,i2, k3) = (0, 1 , - 1). This design minimizes both camp and #PE, and, therefore, minimizes any objective of the form WE"' TcnOrnp for m,n 2 1 . Note that the load and drain times = Tdroin = 5 ) are not shown in the diagrams. Further, note that for correct execution of the Floyd-Warshall algorithm, control signals are needed to govern the index-dependent assignments performed by the PEs in the array. These index-dependent assignments are given in Tables I and I1 in Lee and Kedem (1988). In Fig. 5 , we show a new design that optimizes &. This design uses less load and drain times (three units each), but the computation time camp is higher than in Fig. 4. Comparing the results shown in Tables 1 and 2, we found, for instance, that for a problem of size 200, the &-optimal design is 13.35 times faster than the WE-optimal design in terms of completion time, and uses 18.9 times more PEs than the WE-optimal design. (The T,-optimal design for N = 200 requires 8,958 time units and 3,782 PEs, whereas the #PE-optimal design requires 119,602 time units and 200 PEs.) It would be beneficial from a design point of view to develop designs with values of #PE and & in between these extreme values. This is important in practical situations
-
237
ALGORITHM-SPECIFIC PARALLEL PROCESSING
Input Matrix on Link 3 Time
PE 1
PE 2
PE 3
v3= -112
2
1 c12 1 c11 2 c12
1 c21 2 c21 1 c11
3
1 C13 1 c11 3 C13
1 c22 2 c21 2 c22
1 C31 3 C31 1 c11
1 C23 2 c21 3 C13
1 C32 3 C31 2c12
5
2 c22 1 c22 1 c22
6
2 C23 1 c22 2 C23
2 C32 2 C32 1 c22
7
2 c21 1 c22 3 c21
2 c33 2 C32 2 C23
1 c33 3 C31 3 C13
&f
3 4
5
2 c12 3C12 1 c22
3 c33
3C12 3 c21
9
1 c33 1 c33
10
3 C31 1 c33 2 C31
3C13 2 C13 1 C33
11
3 C32 1 c33 3 C32
3Cll 2 C13 2 C31
3 C23 3 C23 1C33
3 C12 2 C13 3 c32
1 c21 3 C23 2 C31
13
4
1 2
2 C31 2 C32 3 c21
a
12
P . )
1
1 c11 1 Cll 1 c11
4
C11 C12 C13 C21 C22 C23 C31 C32 C33
3 c22 3 C23 3 C32
FIG. 4. Linear array to find the transitive closure of a 3 x 3 matrix. The array is optimal with respect to minimizing computation time, #PE, or #PE" x T", rn, n z 1.
because a designer might be unwilling to settle for either the large number of PEs required in the minimum-time design or the long completion time of the minimum-processor design. In realistic design situations there may be bounds on the number of processors or the completion time or both. Hence, one possible objective is to have as few processors as possible, so long as the time is within a preset upper limit, T,Up(or T,u,b,,), and another is to minimize T, (or camp) with #PE less than a given upper bound #PEup. In the following discussion, let TEkp and #PEmaXbe, respectively, the computation time and #PE of the minimum-T,o, design. Designs with
238
JOSE A. 6. FORTES st a/.
-
Input Matrix on Link 3 Time
PE 1
PE 2
1
1 c11 1 c11 1 c11
2
1 c12 1 c11 2 c12
3
1 C13 1 c11 3C13
1 c21 2 c21 1 c11
2 c22 1 c22 1 c22
1C Z 2 c21 2C Z 1 c23 2 c21 3 C13
4
5
PE
*
v3 = - 1
43
1 C31 3 C31 1 c11
....................................................
1 C32 3 C31 2 c12
2 C23
6
1 c22 2 C23
7
2 c21 1 c22 3 c21
2 C32 2 C32 1 c22 2 c33 2 C32 2 c23
1 c33 3 C31 3 C13
3 c33 1 c33 1 c33
2 C31
2 c12
9 10
3 C31 1 c33 2 C31
11
3 C32 1 c33 3 c32
8
CII ~ 1 C13 2 ~ 2 1czz C23 C31 C32 ~ 3 3
2 C32 3 c21
index (2,3,2) executes with inputs C13. C12. C23 3 C13 2 C13 1 c33
12
3Cll 2 C13 2 C31
13
3 C12 2 C13 3 C32
3 c12 3 c21
3 C23 3 c23 1 c33
14
1 c21 3 C23 2 C31
15
3C Z 3 C23 3 C32
FIG. 5. Linear array to find the transitive closure of a 3 x 3 matrix. The array is optimal for completion time, which includes load time, computation time, and drain time.
#PE > WEmaX would not be useful as their computation times have to be be, respectively, the computation time at least TEEp. Let TEEpand #PEmi" and the #PE of the minimum-processor design (from Theorem 6.2 and = N ) . Again, there is no benefit in obtaining designs Lemma 6.2, #PEmi" with camp > TEEpas the number of PEs cannot be reduced below #PEmin.
239
ALGORITHM-SPECIFIC PARALLEL PROCESSING
Normalized Completion Time
FIG.6 . Performance tradeoffs: Variation in #PE with time bound T::,",, and variation in
Tromp with processor bound #PE"*. The plots are given for the three problem sizes N
=
100,
200. and 300.
We are interested in finding designs with computation time greater than TZkpand #PE less than #PEm". Figure 6 shows how #PE varies with camp for three different problem sizes: N = 100,200, and 300. The y-axis #PE is normalized by #PEmax,and the x-axis camp is scaled by T:gp. This lets us compare the different problem sizes uniformly on the same scale. The stepped curves are obtained by bounding camp and finding the #PE-optimal designs for specific recurrence sizes. There the curves are stepped because there exist only a small and finite number of systolic array configurations that can satisfy the given time constraints. If the goal is to find the #PE-optimal designs, we will have a small number of array configurations; for each configuration, we select the one with the minimum computation time. Given the bound T,",",,(respectively, #PEUp)the designer can use Fig. 6 to read off the minimum #PE (respectively, camp) required and decide (possibly from a cost perspective) if it is acceptable. Again, the designer could exploit the initial steep decline in the plots to choose an alternative design that trades performance for cost. For instance, the minimum #PE for N = 200 drops by 43% for only a 19% increase in computation time. If both camp and #PE are bounded from above, the design with minimum #PE for the given time bound is determined using Fig. 6 . First, a horizontal line is drawn across the graph for the desired bound on #PE.
240
JOSE A. B. FORTES e t a / . j
-
0.8
-
0.7
ik! a
-
0.6
-
0.5 0.4
-
U
-.g
2
2
1
1;
i
:
0.9
I
1
I
I
II
:
I
1
I
-
I ,
i
I
N = 100, T-comp - T c ----. N = 100, N = 200, T-COGP N = 200, T-c ...........
I
-
j
*
,
I
'
-
it ;,
I
I: L I
0.2 0.1 -
-
0.3
0
I
:......................................................... . ___________________ ..................................................
I
I
I
I
1
I
I
..................... ............................................... I
I
-
I
Normalized Completion Time or T, as the measure of performance. FIO.7. Different tradeoffs obtained using The plots are given for two problem sizes N = 100 and 200.
The intersection between this line and the stepped curve represents the needed for any feasible design. If this minimum is less minimum than the desired GOmp, a feasible design can be obtained by the procedure discussed in Section 5 . This now represents the best design under both time and processor constraints. Another observation from Fig. 6 is that the plots for larger N decrease more rapidly than those for smaller N. Hence, for larger values of N, there is a substantial reduction in #PE (respectively, for a relatively small increase of the computation time (respectively, #PE) from the optimum. Therefore, for large N, there are more attractive alternatives than the timeoptimal or #PE-optimal designs. Figure 7 shows a similar plot as in Fig. 6 except that here the difference between tradeoffs obtained on T, and #PE versus tradeoffs obtained on KOmpand #PE is depicted. Two sets of curves are shown, one for designs that minimize camp and the other for designs that minimize T,, for N = 100 and N = 200, respectively. The y-axis of these curves is normalized with respect to #PE when T, is minimum (since these designs require more PEs and less T,), and the x-axis is normalized with respect to T, when Tom*= TZEp.The graphs show the difference between designs obtained by different objectives. Given a bound T,Up,we can see that the number of processors obtained by minimizing T, is less than or equal to the number of processors obtained by minimizing TCOmp.
zOmp
zOmp
ALGORITHM-SPECIFIC PARALLEL PROCESSING
24 1
7 . Conclusions Algorithm-specific parallel processing with linear processor arrays can be systematically achieved with the help of the techniques discussed in this paper. In particular, they are ideally suited to the algorithms that were described as affine recurrences or loop nests in Section 1. They can be conveniently modeled in terms of ordered multidimensional integer sets and matrix algebra that supports the efficient representation and solution of scheduling and processor allocation problems. Of particular importance are the problems of avoiding computational conflicts in processing elements and data communication conflicts in links. Sections 2 through 4 discuss the dependency method (DM), which is based on linear mappings. We provide conditions that guarantee their correctness, including the absence of computational conflicts. We present closed-form expressions for these conditions which can be used with optimization techniques that use linear integer programming or intelligent searches. Both optimization approaches were discussed along with examples. In Sections 5 and 6, we describe a general parameter-based approach (GPM) for mapping algorithms with uniform indexing functions to systolic processor arrays. In this method, the behavior of the target array is captured by a set of parameters, and the design problem is formulated as an optimization problem with an objective and a set of constraints specified in terms of the parameters. We show that the parameters in GPM can be expressed in terms of the processor allocation matrix S and the time schedule vector IJ in DM, thereby establishing the equivalence between the two representation methods. We present an efficient search procedure for finding T,-optimal or T,,,-optimal (respectively, #PE-optimal) designs for specified bounds on #PE (respectively, T, or Tamp), as well as optimal designs with a certain monotonicity property on the objective function. The distinct features of GPM lie in its ability to systematically search for optimal designs with specific design requirements of T, (or TfOmp) and #PE, and its ability to include constraints on data-link and computational conflicts in the optimization procedure. A similar search procedure that finds T,,,,-optimal designs has been developed for dependency-based methods (O’Keefe et al., 1991). We believe that a general search procedure that allows tradeoffs between #PE and T, in dependency-based methods can be developed for synthesizing uniform recurrences. In conclusion, we show in this paper two representation methods for synthesizing recurrent computations for linear processor arrays. These two methods differ in their representation power and search procedures. The dependency-based method is more general in its representation power and can be applied to find feasible designs for general (uniform as well
242
JOSE A. B. FORTES e t a / .
COMPARISON BETWEEN
TABLE3. DEPENDENCY-BASED VERSUS PARAMETER-BASED METHODS
Dependency-Based Method Presented in Sections 2-4
Generalized Parameter Method Presented in Sections 5-6
Applicable recurrences
General and applicable to uniform as well as nonuniform recurrences.
Homogeneous uniform recurrences or uniformized affine recurrences.
Representation
Schedule Vector and Allocation Matrix: represented in Cartesian coordinate system with unit vectors as basis vectors; for the dimensionreduction technique discussed in Sections 2-4, the mappings are rank-deficient (i.e., n and S yield T where runk(T) > n).
Periods and Displacements: represented in possibly nonorthogonal coordinate system with dependence vectors as basis vectors; hence, for uniform recurrences, the two representations are equivalent and derivable from each other by a coordinate (linear) transformation.
Characteristics of controls in processor array
Nonuniform in the general case by specifying a general processor allocation matrix; processor arrays derived may, in the general case, have arbitrary speedldirection changes for data tokens and have aperiodic computations.
Uniform controls throughout the processor array, resulting in constant velocities and periodic computations.
Design objective and constraints
Compute-time optimal designs or processor-optimal designs with linear objective function and linear constraints.
General nonlinear objective function and constraints with certain monotonicity properties on the objective function; new constraints have been developed that capture data-link conflicts.
Search methods for finding processor array designs
Choose processor-allocation matrix heuristically, and find schedule vector satisfying processorallocation constraints; methods of finding designs are based on linearlinteger programming or intelligent searches.
Search method is systematic enumeration and pruning on a search space polynomial in complexity with respect to problem size.
Designs obtained
Designs found are optimal in terms of computation time with respect to a given choice of processorallocation matrix; possible allocation matrices chosen are those that minimize the number of processing elements.
Tradeoffs between processor and computation time (or completion time, including load and drain times) for a specific problem instance can be obtained.
Summary
The two methods presented in this article are equivalent approaches for mapping uniform recurrences. The formulation of the design optimization problem and the search techniques developed are equally applicable in both representations.
Feature
ALGORITHM-SPECIFIC PARALLEL PROCESSING
243
as nonuniform) recurrences. Due to its generality in representation, the search space for finding optimal designs is extremely large. Hence, dependency-based methods find feasible designs heuristically by first specifying how the data tokens should relate to each other. In contrast, the general parameter method is restricted to synthesizing uniform recurrences and affine recurrences that can be uniformized. For this class of recurrences, we can exploit uniformity in data traversal in the processor array. We present an efficient search procedure for finding optimal designs with user-specified requirements on the completion time and on the number of processing elements. Table 3 summarizes the unique features of the two methods. ACKNOWLEDGMENTS Research of J. Fortes and W. Shang was supported by Louisiana Education Quality Support Fund LEQSF(1991-93)-RD-A-42, National Science Foundation Grants DC1-8419745 and MIP-9110940, and Innovative Science and Technology, Office of the Strategic Defense Initiative Organization, administered through the Office of Naval Research under contracts 00014-85-K-0588, 00014-88-K-0723 and OOO14-90-5-1483. Research of B. Wah and K. Ganapathy was supported by Joint Services Electronics Program contract JSEP N00014-90-J1270, National Science Foundation grant NSF MIP 92-18715, and an IBM graduate fellowship.
References Almasi, G. S. and Gottlieb, A. (1989). Highly Parallel Computing. Benjamin/Cummings Publishing Company, Inc., Redwood City, CA. Annaratone, M., Arnould, E., Gross, T., Kung, H. T., Lam, M. S., Menzilcioglu, 0.. and Webb, J . A. (1987). “The Warp Machine: Architecture, Implementation and Performance,” IEEE Trans. Computers, C-36, 12, 1523-38. Banerjee, U. (1988). Dependence Analysis for Supercomputing. Kluwer Academic Publisher, Boston. Baxter, B., Cox, G., Gross. T., Kung, H. T., O’Hallaron, D., Peterson, C., Webb, J., and Wiley, P. (1990). “Building Blocks for a New Generation of Application-Specific Computing Systems.” Proc. Int’l Conf. on Application Specific Array Processors (ASAP), pp. 190-201. Chen, 2. and Shang, W. (1992). “On Uniformization of Affine Dependence Algorithms.” Proc. IEEE Fourth Symposium on Parallel and Distributed Processing, Arlington, TX, Dec. 1992, pp. 128-37. Fortes, J . A. B., Lee, E., and Meng, T. (1992). Proc. of 1992 Application Specific Array Processors, IEEE Computer Society Press, Los Alamitos, California. Fortes, J . A. B. and Wah, 8. W. (1987). “Systolic Array-From Concept to Implementation.” IEEE Computer, July 1987, pp. 12-17. Ganapathy, K. and Wah, B. W. (1992a). “Optimal Design of Processor Arrays for Uniform Recurrences. ” Proc. Int ’I Conf. on Application-Specific Array Processors. IEEE Computer Society, Aug. 1992, pp. 636-48. Ganapathy, K. and Wah, B. W. (1992b). “Synthesizing Optimal Lower Dimensional Processor Arrays.” Proc. Int’lConJ. on ParallelProcessing.CRC Press, Aug. 1992, VoI. 3, pp. 96-103.
244
JOSE A. B. FORTES et al.
Ganapathy, K. and Wah, B. W. (1993). “Designing a Coprocessor for Recurrent Computations.” Proc. Fifrh IEEE Symposium on Parallel and Distributed Processing (in press). Guibas, L. J., Kung, H. T., and Thompson, C. D. (1979). “Direct VLSI Implementation of Combinatorial Algorithms.” Proc. Caltech CoM. on VLSI. Caltech, Pasadena, CA, pp. 509-525. Kannan, R. and Bachem, A. (1979). “Polynomial Algorithms for Computing the Smith and Hermite Normal Forms of an Integer Matrix.” SIAM J. Computing 8(4), 499-507. Kung, H. T. and Lam, M. (1984). “Wafer-Scale Integration and Two-Level Pipelined Implementations of Systolic Arrays.” J. Parallel and Distributed Computing 1(1), 32-63. Kung, S. Y., Lo, S. C., and Lewis, P. S. (1987). “Optimal Systolic Design for the Transitive Closure and the Shortest Path Problems.” IEEE Trans. Computer C-36, 603-14. Lee, P. and Kedem, Z. M. (1988). “Synthesizing Linear Array Algorithms from Nested For Loop Algorithms.” IEEE Trans. Computers 37(12), 1578-98. Lee, P. and Kedem, Z. M. (1990). “Mapping nested Loop Algorithms into Multidimensional Systolic Arrays.” IEEE Trans. Parallel and Distributed Systems 1(1), 64-76. Li, G.-J. and Wah, B. W. (1985). “The Design of Optimal Systolic Arrays.” IEEE Trans. Computers C-34, 66-77. Menzilcioglu, O., Kung, H. T., and Song, S. W. (1989). “Comprehensive Evaluation of a Two-Dimensional Configurable Array.” Proc. 19th Int ’I Symposium on Fault-tolerant Computing, pp. 93-100. O’Keefe, M. T. and Fortes, J. A. B. (1986). “A Comparative Study of Two Systematic Design Methodologies for Systolic Arrays.” Proc. 1986 Int ’1 Con$ on Parallel Processing, pp. 672-5. O’Keefe. M. T., Fortes, J. A. B., and Wah, B. W. (1991). “On the Relationship Between Systolic Array Design Methodologies.” IEEE Trans. Computers 41(12), 1589-93. Quinton. P. (1989). “Automatic Synthesis of Systolic Arrays from Uniform Recurrent Equations.” Proc. l l t h Annual Symposium on Computer Architecture, pp. 208-1 4. Quinton, P. and Van Dongen, V. (1989). “The Mapping of Linear Recurrence Equations on Regular Arrays.” J. VLSI Signal Processing 1(2), 95-1 IS. Rote, G. (1985). “A Systolic Array Algorithm for the Algebraic Path Problem (Shortest Paths, Matrix Inversion).” Computing 34, 192-219. Schrijver, A. (1986). Theory of Linear and Integer Programming. John Wiley & Sons, New York. Shang, W. and Fortes, J. A. B. (1992). “On Mapping of Uniform Dependence Algorithms into Lower Dimensional Processor Arrays.” IEEE Trans. Parallel and Distributed Systems 3(3), 350-63.
Strang, G. (1980). Linear Algebra and its Applications, 2nd ed. Academic Press, Boston. Tucker, L. W. and Robertson, G. G. (1988). “Architecture and Applications of the Connection Machine.” IEEE Computer, Aug. 1988, pp. 26-38. Tzen, T. and Ni, L. (1993). “Data Dependence Analysis and Uniformization for Doubly Nested Loops.” Proc. Int’l Con$ on Parallel Processing. St. Charles, Illinois, pp. 91-99(11). Valero, M., Kung, S. Y., Lang, T., and Fortes, J. A. B. (1991). Proc. of I991 Application Specific Array Processors. IEEE Computer Society Press, Los Alamitos, California. Valero-Garcia, M., Navarro, J. J., Llaberia, J. M., and Valero, M. (1989). “Systematic Hardware Adaptation of Systolic Algorithms.” Proc. Int ’I Symposium on Computer Architecture. ACM/IEEE, pp. 96-104. Wong, Y. and Delosme, J.-M. (1992). “Transformation of Broadcasts into Propagations in Systolic Arrays.” J. Parallel and Distributed Computing 14(2), 121-45. Xing, Z. and Shang, W. (1993). “An Algorithm for Accurate Data Dependence Test.” Proc. IEEE Int’l Conf. on Application Specific Array Processors, Oct. 1993, Italy (in press).
ALGORITHM-SPECIFIC PARALLEL PROCESSING
245
Xue, J. (1993). “A New Formulation of the Mapping Conditions for the Synthesis of Linear Systolic Arrays.” Proc. IEEE Int’l Conf. on Application-Specific Array Processors, Oct. 1993, Italy (in press). Yaacoby, Y. and Cappello, P. R. (1988). “Scheduling a System of Affine Recurrence Equations onto a Systolic Array.” Proc. Int’l Conf. on Systolic Arrays, San Diego, CA, May 1988, pp. 373-82. Yang, Z., Shang, W., and Fortes, J. A. B. (1992). “One-to-one Time Mappings of Nested Algorithms into Lower Dimensional Processor Arrays.” Proc. of the Sixth IEEE Int’l Parallel Processing Symposium, March 1992, Beverly Hills, CA, pp. 156-64.
This Page Intentionally Left Blank
Information as a Commodity: Assessment of Market Value ABBE MOWSHOWITZ Department of Computer Science The City College (CUNY) New York. New York
1 . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. The Information Marketplace . . . . . . . . . . . . . . . . . . . . . . . 2.1 Information in the Economy . . . . . . . . . . . . . . . . . . . . . 2.2 Market Value of Information . . . . . . . . . . . . . . . . . . . . . 3 . What Is Information? . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Models and Measures of Information . . . . . . . . . . . . . . . . . 3.2 A New Definition of Information . . . . . . . . . . . . . . . . . . . 4 . Information Commodities . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Information versus Other Commodities . . . . . . . . . . . . . . . . . 4.3 A Naive Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Toward an Improved Taxonomy . . . . . . . . . . . . . . . . . . . . 5 . Making Information Commodities . . . . . . . . . . . . . . . . . . . . . 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Value-Added Model of Information Commodities . . . . . . . . . . . . 5.3 Description of Model Components . . . . . . . . . . . . . . . . . . . 5.4 Applications of the Model . . . . . . . . . . . . . . . . . . . . . . 5.5 Estimating Supply Price . . . . . . . . . . . . . . . . . . . . . . . 6 . Toward an Inventory of Information Commodities . . . . . . . . . . . . . . 6.1 Manufacturing . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Banking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Securities Trading . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4 Credit Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . 6.5 Electronic Information Industry . . . . . . . . . . . . . . . . . . . . 6.6 Software Industry . . . . . . . . . . . . . . . . . . . . . . . . . . 7. Using Information Commodities . . . . . . . . . . . . . . . . . . . . . . 7.1 User as Producer: Derived versus Final Demand . . . . . . . . . . . . . 7.2 Production Digraph Model . . . . . . . . . . . . . . . . . . . . . . 7.3 Estimating Demand Price . . . . . . . . . . . . . . . . . . . . . . . 7.4 Determining Cost Reduction Possibilities . . . . . . . . . . . . . . . . 7.5 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. Competition and Regulation . . . . . . . . . . . . . . . . . . . . . . . . 8.1 Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2 Interest Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . ADVANCES IN COMPUTERS.VOL . 38
247
248 249 249 250 252 252 251 261 261 262 265 266 267 261 268 269 276 283 286 286 287 288 288 289 289 291 291 292 294 298 299 301 301 303
Copyright 0 1994 by Academic Press. Inc . All rights of reproduction in any form reserved. ISBN 0-12-012138-7
248
ABBE MOWSHOWITZ
8.3 Regulation and Standard-Setting. . . . . . . . . . . . 8.4 Politics of Regulation . . . . . . . . . . . . . . . . 9. Conclusion . . . . . . . . . . . . . . . . . . . . . . . Acknowledgments . . . . . . . . . . . . . . . . . . . . Endnotes.. . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . .
........ ........ ........ ........ ........ ........
305
309 3 10 310 310 3 12
1. Introduction
The evolution of the marketplace for information appears to be governed by impulses stemming from the displacement of information, knowledge, or skill from persons to artifacts. This process of displacement is an extension of the commoditization of labor, a process that began in earnest with the industrial revolution. The information commodity is to contemporary organizations what the labor commodity was to the pre-industrial workshop-a vehicle for the radical reorganization of production. In the context of existing economic activities with established methods, there are typically two stages in the formation of an information commodity. In stage 1 information is embedded in an artifact (e.g., transferring the skill of a machinist into a program for a machine-controller, or building an on-line bibliographic retrieval system for a specialized research area), while in stage 2 the artifact is recognized as an independent entity that can be traded in the marketplace. Following up the examples of the first stage, this would mean marketing a program for producing a part on a computercontrolled machine tool, or turning an on-line retrieval system into a commercial service. This two-stage process results from performing an old task in a new way. The introduction of word processing in the office is a now familiar example. But as time goes on information commodities increasingly will be born fully grown. Entirely new products and services, e.g., descendants of contemporary software and databases, will be planned and executed from the start as commercial artifacts that furnish information. This paper is concerned with the problem of assessing the market value of these new types of commodities. It is not intended as a comprehensive survey of information economics. Market value will be examined from the perspectives of both producers and users. The treatment accorded these issues here will be somewhat eclectic, stressing the author’s approach to the assessment of market value. Price is used as a proxy for the market value of an information commodity. For the producer, we take the relevant price to be the minimum needed to break even; for the user, the relevant price is taken to be the maximum consistent with expected return on investment in the commodity.
INFORMATION AS A COMMODITY
249
It must be stressed that we are not examining price in terms of market equilibrium, but as a management decision problem for producers and users, respectively.
2. The Information Marketplace 2.1
Information in the Economy
Information has always been important in economic activity. Indeed, little reflection is needed to convince oneself of its fundamental role in the production and distribution of goods and services. Why then has the notion of an information marketplace risen to prominence only in recent years? One might be tempted to speculate that before computers the contribution to the GNP of information-related activities was relatively small, so that it was not until recently that a significant marketplace existed for information. But this observation could be interpreted as an artifact of analysis, i.e., the way economic activities are classified. For example, if manufacturing is regarded as an indivisible component of the economy, then the design of products, the planning of manufacturing processes, accounting functions, etc.-all information-related activities-would be subsumed under the heading of manufacturing. If past neglect of information-related activity is an artifact of economic analysis, it is logical to ask what has prompted economists (notably Machlup, 1962,1980; Porat, 1977) to revise their predecessors’ treatment of national income and employment data. The reason is a qualitative expansion of the means for manipulating information as an independent factor of economic activity. Computers and communication technology have made it possible to separate and remove information from virtually all of its traditional human and social contexts. This newfound independence means that the information required for a task in organization A need not be provided by a human being nor even by organization A. The separability of information is the foundation of the evolving information marketplace. Like most innovations, the emergence of an economically significant marketplace for information is not without precedent. The publishing industry marketed information long before computers were invented. Business credit reporting (e.g., the Dun and Bradstreet Company) got underway when the first telegraph system was introduced in the middle of the nineteenth century. Compared to computer-based information systems these examples represent primitive stages of development. However, they are essentially the same as contemporary information commodities in the sense of being
250
ABBE MOWSHOWITZ
artifacts that furnish information. The difference between the old and the new artifacts lies in their respective power and generality. A printed page is a passive repository of information. A computerized database, on the other hand, can be designed to act on the information it contains to extract items of interest to a human or machine user; it can select, combine and sort items in the file, and, in some cases, draw inferences to create new items. All of these extended functions would have to be performed by the reader of a printed page. The formation of the contemporary information marketplace has much in common with the rise of labor markets in the early modern period. Labor, like information, has always been an essential component of production. Labor markets resulted from changes in production methods that made it possible to manipulate labor as an independent element of production systems. These changes were brought about by the technical and organizational innovations of modern industry. Just as some information commodities existed before the computer, so was labor occasionally traded in the pre-industrial marketplace. The contemporary information marketplace and the industrial labor market are both distinguished by their universality. Once the idea of labor as an independently manipulatable factor of production took hold, every craft was liable to be reorganized along industrial lines. An analogous idea in relation to information has taken root in contemporary society, and we can expect a transformation of the economy at least as formidable as the process of industrialization.
2.2
Market Value of Information
As suggested above, one way to assess the value of information in the marketplace is to use the price a customer is willing to pay for it as a proxy. Defining value in this way is easy; determining how the value is arrived at is the hard part. Two different approaches to the determination of market value linked to this observation are evident in the literature. One approach is to analyze the role of information in decision-making; the other is based on the contribution of information to the productivity of the user. Let us discuss each briefly in turn.
2.2.1 Decision- Theory Model This approach was taken by Marschak in his development of the theory of information economics (Marschak and Radner, 1972). Gotlieb (1985,
INFORMATION AS A COMMODITY
251
pp. 115-1 18) gives an example to illustrate Marschak’s approach, namely, a calculation of the value of an information system given in the form of a market survey that indicates the state of the market for a product being sold. In Gotlieb’s example, a manufacturing company is uncertain as to the demand for its product A. The company does know that it can sell ten A’s in a firm market and four in a soft market; and it has only three levels of production capacity: high (ten A’s), medium (eight A’s) and low (four A’s). Finally, each A costs three units to make and sells at a price of four. The question the company seeks to answer is how many A’s should it produce. The value of an information system is related to the benefit that can be derived from it in predicting market demand. Computing this value involves determining the benefits corresponding to the three possible production decisions for each of the two market-demand conditions. These, in turn, depend on estimates of the probabilities of different market conditions and the conditional probabilities of market-demand predictions given different actual conditions. Determining value in this way requires a great deal of knowledge of the past performance and probabilities of the market. As Gotlieb (1985, pp. 118-1 19) observes, “For the really important decisions . . . almost no numerical estimates can be derived, and it is impossible to begin calculating the value of information along the lines [described in the example].’’
2.2.2 Productivity Model These practical difficulties suggest the need for an alternative approach, one linked to the productivity of the information user. Although this approach is less demanding computationally, it is fraught with measurement difficulties. The basic idea is to determine productivity changes attributable to information or an information system. Difficulty number one is measuring productivity. In a factory, productivity is assumed to be expressed in terms of units of production per person-hour of labor input. It is less clear how to measure productivity in a research or managerial environment, though we could use a person’s direct or indirect contributions to the earnings of the firm as a basis for measurement. In the case where an information system is introduced to meet the demands of a single task, subjective estimates of productivity changes can be obtained. However much these estimates may represent an accurate consensus, they tend to be based on an excessively narrow view of the aim of the information system.
252
ABBE MOWSHOWITZ
A second difficulty arises in pinpointing the effects of information on productivity. Typically, several changes take place simultaneously when an information system is introduced, and it is difficult to isolate the effects of any one of these changes.
2.2.3 An Alternative Approach Neither the decision theory nor the productivity approach to value determination is entirely satisfactory. Nevertheless, businesses manage somehow to price their information products and to make decisions about how much money to allocate for the development or purchase of information systems. Market sampling methods-applied to potential users of a system within an organization, and to potential customers for a firm’s products-may yield the best estimates of value. The approach to market-value assessment adopted in this paper takes the information product or service, i.e., an information commodity, as the basic unit of analysis. Information has market value only as an element of an information commodity. Unlike information, these commodities can be used up and exchanged. This approach to assessment avoids the paradox arising from attempts to ascribe exchange value to something that can only be shared, i.e., if A gives information to B, A still has it, regardless of what B gives A in return, so the transaction is not an exchange in the usual sense. The commodity approach also allows for differentiating the contributions to market value of the different components of information systems and other types of information commodities. Thus, it is possible to combine the insights of the decision-making and productivity models in a unified theory. In particular, this approach suggests pricing models that explicitly recognize that market value is inextricably linked to the particular use to which an information commodity is put.
3. What Is Information? 3.1 3.1.7
Models and Measures of Information
Selective Information
To take the measure of the emerging information marketplace, we need to pin down the notion of information itself. Two very different aspects of information have been examined extensively. One has to do with the removal of uncertainty associated with the reception of information; the other is concerned with the content or meaning of information. The former may be called selective information; the latter, semantic or structural information.
INFORMATION AS A COMMODITY
253
0 NOISE
1
gxlRcE
b Dvxx)ER
b
CHANNEL
b DECODER
+RECEIVER
FIG. 1 . Model of a communication system.
Origins in Communications Engineering. The notion of selective information was elaborated in the context of communication engineering. Figure 1 represents the basic paradigm. A sender or source of information generates messages to be transmitted over a channel to a receiver or destination. The information produced by the source is encoded in a form suitable for transmission over the channel; once through the channel, the information is decoded and delivered to the receiver or destination. Of course, there may be errors in transmission, i.e., what is received may differ from what was sent. The cause of such errors is represented in the paradigm as noise that affects the channel. Originally developed for telephony, this model is suitable for a wide variety of communication systems. It provides the conceptual apparatus for analyzing errors, their causes, and potential remedies. Selective information is central to this analysis of errors. Information reduces uncertainty about the state of the world. This is the basis of the selective interpretation. Consider a simple experiment-the tossing of an unbiased coin. There are two possible outcomes (heads and tails), each having probability one-half. The occurrence of a specific outcome removes the uncertainty of the experiment. The quantity of uncertainty removed from-or information contained in-the experiment depends on the mathematical form of the measure adopted. The choice of a measure is not arbitrary. To be useful such a measure must support the development of a theory of information from which it is possible to infer when and how to minimize the effects of channel noise. The famous entropy measure introduced by Shannon (1948) does just that. It is defined for a set of outcomes with an associated probability distribution. Let us consider a simple example. Suppose a source can generate a finite set (m, ,m 2 ,...,mn] of messages with probabilities p,,p 2 , ...,pn, respectively. The information content of the source is given by: n
-
C Pi log Pi i= 1
254
ABBE MOWSHOWITZ
The base of the logarithm is arbitrary, but is usually taken to be 2. In this case, Shannon’s measure is expressed in bits (short for binary digits). Note that there is one bit of information in the coin-tossing experiment described above, and likewise one bit in any experiment with two equiprobable outcomes. The entropy measure, equating information with uncertainty, has facilitated the development of a theory of information with valuable, practical consequences. Shannon demonstrated what has come to be known as the fundamental theorem of information theory. This theorem states that as long as the rate at which information is transmitted through a channel remains less than the channel’s capacity, it is possible to transmit information at that rate with as low a probability of error as desired (see Ash, 1965). The reason for stressing “possible” is that the theorem does not provide detailed instructions for achieving arbitrarily low probability of transmission error. To accomplish this one has to find a clever way of encoding the data for transmission through the channel. But the theorem does provide some assurance that it is sensible to make the effort. Shannon’s theory was motivated by the desire to develop methods of designing minimal-cost, reliable transmission systems. The object is to pump as many bits as possible, with as few errors as possible, at the lowest cost possible, through a noisy channel like a telephone line. The specific content of the information to be transmitted is irrelevant here. A bitstream carrying a conversation between two friends about where to go for dinner has the same standing as bits representing a discussion between a prison warden and a state governor about pardoning an inmate scheduled to be executed within the hour. Extensions to Other fields. Despite this limitation, Shannon’s measure has been adapted for use in many different domains. For a time it exercised an irresistible attraction to intellectuals of all stripes, from music theorists and aestheticians to experimental psychologists and physicists. Shannon’s 1948 paper took the intellectual world by storm, and stimulated an intense flurry of research activity that lasted until the early 1960s. This activity is documented by a plethora of publications on applications of information theory that appeared in the decade following Shannon’s paper. Here are some sample titles: “Applications of Information Theory to Psychology” (Attneave, 1959); “Meaning in Music and Information Theory” (Meyer, 1957); “Information Input Overload and Psychopathology” (Miller, 1960); “ThCorie de l’information et perception esthttique” (Moles, 1958); “Science and Information Theory” (Brillouin, 1962); “Information and Prediction in Science” (Dockx and Bernays, 1965).
INFORMATION AS A COMMODITY
255
The apparent universality of information theory follows from the character of Shannon’s entropy measure. An ensemble of outcomes with an associated probability distribution is sufficient to put one in business. A plausible interpretation of the information so computed can be cooked up fairly easily. In music the interpretation has to do with the probabilistic behavior of the auditor’s expectation of musical elements (e.g., note, chord, etc.) in a sequence. Likewise the information content of a string of lexical symbols. In sensory psychology, the entropy measure has been used to determine the information content of inputs or stimuli (e.g., visual arrays, auditory stimuli, etc.), and to estimate the capacity of sensory channels. It is perhaps only a slight exaggeration to say that most of the excitement over applications f information theory was sound and fury signifying very little. The value of the theory in its original context of communications engineering rests on the fundamental theorem, and this result has no counterpart in most of these other domains. Many of the applications used information theory in a purely descriptive way as a way of reformulating existing problems, pouring old wine into new bottles.
P
3.1.2
Structural Information
Uncertainty versus Meaning. There is more to information than uncertainty. As noted above, every equiprobable, two-choice situation contains one bit of selective information. However, the value or significance of knowing an outcome may vary greatly from one situation to another.’ To make this concrete let us consider the following cases. (1) The Agriculture Department releases an estimate of the current orange crop yield. For simplicity, let us suppose there are two outcomes: (a) expected yield higher than previously estimated, and (b) expected yield equal or lower than previously estimated. Furthermore, suppose each of these two outcomes is equally likely. (2) The Weather Bureau issues its forecast of tomorrow’s weather. Again let us assume two equiprobable outcomes: rain versus no rain. The cost to the phone company of transmitting a bit is the same no matter what it represents, so there would be no reason for the phone company to treat these situations differently. But for a commodities trader, one bit of information about the orange crop would be far more significant than a bit concerned with tomorrow’s local weather. These two cases are distinguished by the respective meanings of the messages involved. Both involve the same amount of uncertainty, but the use to which the information can be put is very different. Knowing tomorrow’s weather forecast may lead one to buy hamburger for an outdoor picnic; knowing that the Agriculture Department has raised its estimate of the
256
ABBE MOWSHOWITZ
orange crop yield may lead one to sell short orange juice futures. The potential return in the former case is a pleasant afternoon with the family; the latter may produce huge profits. It is important to note that we are concerned exclusively with value in the marketplace-not with any other kind of value. Some individuals, under certain conditions, might very well place a greater value on spending a pleasant afternoon with the family than on making huge profits in a securities transaction. However, we are considering information in the business world, where profits are the ultimate arbiter of value. The inadequacy of the uncertainty measure is especially apparent in connection with information commodities. Information is valued not just because it removes uncertainty, but because it may be used to accomplish specific ends.
Measures of Structural Information. A comprehensive survey of structural measures is beyond the scope of this paper, so we will discuss two representative examples: (1) a semantic measure, and (2) a measure of the structural complexity of a graph.3 Osgood, Suci, and Tannenbaum (1957) developed an empirical technique-the semantic differential-for the measurement of meaning. This technique defines the meaning of a concept operationally in terms of something called semantic space, a Euclidean space of unknown dimensionality. Given a concept, one constructs an associated semantic space by means of a set of semantic scales, i.e., pairs of polar adjectives such as hot-cold, sweet-sour, hard-soft, happy-sad, etc. that are used to identify aspects of the concept. Each such scale represents a straight-line function passing through the origin of the space, so a sample of the scales defines a multidimensional space. The larger the sample, the better defined is the semantic space representing ,the concept. Having constructed a sample of scales, one determines, by factor analysis, a minimum set of mutually orthogonal dimensions or axes that generate the whole space (i.e., a basis). There are three sources of variability in this measurement approach: the subjects, the scales, and the concepts judged. Presumably, with a judicious choice of scales and a sufficiently large population of subjects, the semantic space defining the meaning of a concept will be reliable. In principle, any collection of data could be characterized in terms of the basis of a semantic space. This tool is obviously more complex than Shannon’s entropy measure. Whereas a transmission rate in bits/sec is sufficient to determine the capacity required to move information from point A to point B, it is not at all clear, for example, how to relate semantic space to the value or the cost of information. The problem is to evaluate information according to its
INFORMATION AS A COMMODITY
257
meaning. Features of semantic space that might be used for this purpose include dimensionality and basis elements. The nonselective character of information is not a unitary thing. Semantic content is often either insufficient or inappropriate for measuring the structure of an object or a system. A richer conceptual apparatus is sometimes needed. Moreover, there may be a variety of different measures of structure-defined for the same object-that have nothing in common. This has been shown in connection with combinatorial graphs (Mowshowitz, 1968a, 1968b). Here a measure of the relative complexity of a graph is developed using Shannon’s entropy function. Such a measure requires specifying a unique decomposition of the vertices or the edges of a graph so as to construct a finite probability scheme. For example, suppose a graph G has n vertices, which are subdivided into k nonoverlapping classes containing n,, n2,...,nk vertices, respectively. Then the k numbers n i / n can be interpreted as a finite probability scheme, i.e., a probability distribution associated with the k vertex subsets; the entropy of such a scheme is the familiar: k
-
c (ni/n)log(n;/n).
i= 1
The significance of this procedure depends on the structural feature that gives rise to the unique decomposition underlying the probability scheme. An example is given in Mowshowitz (1968a) in which two measures defined relative to different structural features diverge essentially as much as possible. That is, according to one measure a given sequence of graphs has zero information; according to the other, the information content of the sequence is unbounded. If this is surprising, it is so only because of linguistic habits. We use the word “complexity” as though it designated some universal property of systems. In this we are misled by common usage-system A may be more complex than system B with respect to structural feature S, though the converse may hold with respect to structural feature T . The foregoing is a somewhat obscure way of saying that structural information is in the eye of the beholder.
3.2 A New Definition of Information
3.2.1 Information as Ability Uncertainty and meaning, the two aspects of information discussed above, are by no means at variance. The former lends itself to measurement of quantity, as in Shannon’s formulation; the latter is more closely linked
258
ABBE MOWSHOWITZ
to the measurement of value. Both come into play in decision-making and control. To decide is to choose. This holds despite the variability of the conditions under which choices are made. Sometimes alternative choices are known, sometimes they are not. A choice may encompass a more or less complete blueprint for action, or it may only specify exclusions. Moreover, the goals and objectives of decision-makers may range from completely specified to hopelessly ambiguous. But whatever the nature of the choices available and the character of the objectives, the decision-maker must somehow assess the desirability of alternatives in order to arrive at a particular choice. Information is what enables the decision-maker to perform this assessment and, thus, to choose. Control involves the ordering of actions. Here again the conditionsunder which control is to be exercised-are highly variable. Ordering may be formulated in terms of choice (of orderings), thus logically reducing the problem of control to one of decision making. This poses no difficulty so long as choice is clearly distinguished from action. Under this interpretation, decision-making and control are both instances of planning, rather than performance. Note that the ability to decide or to choose is quite different from the ability to act. The ability to decide is analogous to the ability of a finite automaton to shift from one state to another; the ability to act corresponds to an automaton’s ability to produce output. These observations motivate the following definition of information given in Mowshowitz (1992a):
Definition. Information is the ability of a goal-oriented system to decide or contr01.~“TO decide” means to make a choice among several alternatives which may be executed in pursuit of a goal. Similarly, “to control” means to determine an ordering of a set of actions, i.e., to choose an ordering among several possibilities. A system is goal oriented if the actions it takes are meant to achieve some goal, however appropriate or inappropriate those actions may turn out to be. The above definition allows for integrating the selective and semantic aspects of information. Decision-makers typically seek information as a means of reducing uncertainty. Consider, for example, the task of a manager with responsibility for a line of n consumer products, p , , p 2 ,. . . , p n . Suppose that for each product the manager has to choose between different features, i.e., product pi may be offered with feature x or with feature y. To help reduce uncertainty about consumer acceptance, the manager could commission a market research study for each product designed to assess likely consumer preferences for the different features possible with each
INFORMATION AS A COMMODITY
259
product. Now it is not unreasonable to assume that while the amount of uncertainty about consumer preferences is roughly the same for each of the products, some of the products generate much more revenue than others. Here is where meaning surfaces in the ability to decide. It is not enough for the manager to gather information to remove uncertainty about the choice of features; because resources are rarely unlimited, it is also necessary to ascertain the significance of the uncertainty reduction. The ability to decide is thus seen to depend upon both the reduction of uncertainty about choices and the determination of the significance of choices. This dual aspect of information corresponds to the distinction drawn by Marschak (1959) between cost and amount (as measured by entropy or uncertainty) of information. Marschak (1959, p. 81) argues that the “[amount of information] is not identical with the value of information . . . shown to determine the demand price. But it is presumably related to cost, and hence the supply price, of information . . .”
3.2.2 Characterisfics of Information The definition of information as some sort of ability calls attention to its nonmaterial character. Viewed in this way, information is clearly not identical to the things that are said to “contain” or “furnish” information. Books, databases and computer programs, for example, are not themselves information-they are material objects or artifacts that furnish information. Selective and semantic aspects of the ability to decide are characteristic of the functions of information. This approach to defining information draws sharp distinctions between what information is, what forms it may assume, and what properties it possesses. These categories are often blurred in discussions of the nature of information. For example, Hayes (1993) defines information as “a property of data,” and data as “recorded symbols.” Data are used to represent facts, and a fact is a “statement whose truth is testable.” According to the scheme proposed by Hayes, information is then a property of the symbols that represent (or, possibly, encode) logical propositions. This is a restrictive interpretation, inasmuch as it reduces information to one of its forms, namely, logical statements. Symbolic systems, such as natural language, logic, and mathematics, represent and articulate observations about reality, but they should not be confused with reality or with observations. Information is not the same as any one of its embodiments or representations. In particular, information (i.e., the ability of a goal-oriented system to decide) cannot be equated with a proposition in logic. A proper definition should also be able to embrace both the “what” and the “how” of information. This requirement is met by the definition
260
ABBE MOWSHOWITZ
proposed here, which supports a model unifying the declarative and procedural aspects of information. As argued in Mowshowitz (1992a), information, defined as “ability” rather than “stuff,” has two complementary aspects: (1) the ability to observe or experiment, and (2) the ability to express beliefs. These complementary aspects may be modelled as a system of two interacting components, namely, a belief subsystem, and a command subsystem. The belief subsystem encompasses declarative statements and inference rules; the command subsystem is composed of procedural statements together with rules for generating such statements. The terms “declarative” and “procedural” are used here in a way that is entirely analogous to their use in the area of knowledge repre~entation.~ Consistent with the definitions of decision and control as elements of planning rather than performance, a system consisting of belief and command components does not perform any action. That is to say, it does not itself draw inferences or make observations. Such actions are performed by independent agents. Information-the ability to decide or control-is embedded in the relationship between belief and command (or declaration and procedure). So-called facts or observations confer the ability to decide when the relevant conditionals are in the belief system. Conversely, statements of belief confer such ability when the requisite observation procedures are in the command system. In short, the key to the ability that constitutes information lies in the complementarity of declarative and procedural statements. Declarative statements express belief about the state of the world, and thus may be modelled as statements in predicate logic, which include descriptions of reality and arbitrary boolean combinations of descriptive statements. Procedural statements prescribe how to transform the world. The imperative character of this type of statement requires something more than predicate logic. Imperative statements do not have a truth value. Such statements, which call for action, are embedded in procedures, algorithms, process specifications, etc. In the belief-command characterization of information as an ability, procedural statements prescribe how to obtain descriptions of reality.
3.2.3 Representing Information Thus far we have discussed the functions (Le., selective and semantic), and the structure (i.e. , belief-command system) of information. Whatever the function or structure, certain conventions must be observed to make information interpretable and communicable. This brings us to the issue of representation. Natural-language text , instructions in a programming language, mathematical expressions, graphs and charts, etc. are all examples
INFORMATION AS A COMMODITY
26 1
of different representations of information. The model of structure presented earlier, although formulated in terms of declarative and procedural statements, is independent of any particular representation of information. Implicit in that formulation is the assumption that any representation of information can be interpreted in the framework of the model. A representation of information presupposes a system of symbols and conventions. Representations may differ within a given system, as well as between different systems. Languages-both natural and artificial, defined by their respective alphabets, syntax, semantics and pragmatics-are the most well-known frameworks for representing information. But other symbolic systems may also allow for the representation of information. Whether or not models of language apply to nonlinguistic systems (e.g., music, mythology, art) is beyond the scope of this paper.
4. Information Commodities 4.1
Introduction
A commodity is something traded in the marketplace. Logically speaking, anything can be a commodity; and in the advanced market economies, there are few social limitations on what might become a commodity. Two factors make it possible to turn things into objects of trade: (1) appropriability, and (2) valuability (Mowshowitz, 1992a). Appropriability is the capacity of being owned. If something cannot be appropriated or owned, it cannot be traded. Valuability is the capacity of being assigned a market value in some standard unit. If an object cannot be assigned such a value, there is no way to determine for what it might be exchanged. Appropriation and valuation are both social processes. Appropriability implies a legal system that defines rights in property and the conditions under which property can be transferred; valuability implies collective knowledge of the uses of things in relation to human needs and wants. The two criteria-appropriability and valuability-give rise to an unambiguous definition of commodity.6 In particular, the criteria can be used to determine if something is an information commodity. If a report, consulting service, or software package can be owned and priced, it can be a commodity. The foregoing discussion of information and commodity leads naturally to the following definition.
Definition. An information commodity is a type of commodity which furnishes information (i.e., the ability to decide or control).
262
ABBE MOWSHOWITZ
As suggested earlier, the idea of an information marketplace has taken on great significance in recent years, because the commoditization of information has become a universal process in advanced industrial economies. Information commodities are being bought and sold in an ever-increasing variety of forms, some traditional (e.g., books) and some dependent on advanced technology (e.g. , on-line databases and software). This profusion of information commodities is driven by the recognition of information as a separable component of production and by the existence of the means to exploit this recognition. An information commodity can be passive or active. Books, magazines, and catalogues are examples of passive information commodites. The active variety is distinguished by having processing power, which may vary in degree from one commodity to another. A database capable of inferring new facts from items currently in the file has more processing power than a simple retrieval system. 4.2 Information versus Other Commodities
4.1.1
Differences: Sharing versus Exchange
Much has been made of the uniqueness of information.’ Cherry (1985), in particular, has argued that information is inherently collective because it is not destroyed by use, i.e., information gives rise to sharing rather than exchange relations. Tangible commodities are either destroyed or otherwise transformed in the act of being consumed. A hamburger eaten by one diner is unavailable for another; a gallon of gasoline is transformed into mechanical and heat energy when used to power a car, and is unrecoverable in its original form after use. By contrast, information is not lost through ordinary use. For all practical purposes, a book can be read arbitrarily often without diminishing the information furnished by it. Similarly, the information provided by an on-line database is not altered by repeated, read-only access. And a payroll program executed today will, in the same computing environment, run the same way next week and ten years hence. Cherry’s argument is correct so far as it goes, but it does not go far enough. The sharing-nondestructive readout-applies to the information, not to the artifact furnishing the information. A book, viewed as provider of information, is perishable-it can be burned, mutilated, or dissolved in acid. This also applies to electronic, optical, and organic (e.g., human brains) storage media, as well as to the devices used to process, store, and retrieve information.
INFORMATION AS A COMMODITY
263
The differences between information commodities and conventional ones derive from differences in their respective contents. To some observers, like Cherry, this suggests that information cannot be appropriated for exchange in the marketplace, because both seller and buyer have it after the former conveys it to the latter. Nevertheless, books, computer programs, consulting services, and databases are traded in the marketplace. Are these things economic anomalies? A new order of commodities? Not at all. As intimated earlier, the apparent contradiction is removed by the distinction between an information commodity and the information which this commodity provides. Information commodities “contain” information in some sense, but they are commodities just like bread, television sets, and candy bars. An example, introduced earlier to show the limitations of equating information with uncertainty, may help to clarify this distinction. Consider the dilemma of the commodities trader faced with the problem of determining how much to pay for information on, say, the current orange crop before it is released to the public by the United States Department of Agriculture. Note that the price of orange juice futures contracts are affected by unexpected changes in estimated crop yields-increases, unanticipated by market participants, tend to drive prices down, while decreases push them up. By selling short on reports of unexpected crop increases or buying long on reports of decreases, it is possible for traders to make handsome profits. Of course, to profit from such information, the trader would have to obtain and act on the reports before they become general knowledge, i.e., to trade on “inside information.” How can the trader decide what to pay for inside information offered by a spy before having it?8 In principle, the payment could be based on the potential profit; but there is no way to determine the profit to be made without actually knowing the crop forecast. Without the actual forecast there is no way of deciding whether to sell short or to buy long, nor any way of anticipating the trading actions of the other market participants. If, however, the inside information were given to the trader on approval, so to speak, the spy might have a very hard time collecting anything. How is this apparent dilemma resolved in practice? The resolution hinges on the nature of the spy’s service. If the trader has no intention of using the spy’s services again, he may very well have recourse to Cherry’s argument that no exchange took place, and, therefore, nothing is owed. But if the trader engages the spy on a regular basis, then a record, compiled over a period of time, of the profits derived from the spy’s information provides the trader with a basis for determining how much to pay. The apparent dilemma may be resolved by evaluating the spy’s service in terms of the definition of an information commodity. Failure to distinguish between information and an information commodity lies at the root of the
264
ABBE MOWSHOWITZ
problem. In the trading example, the inside information can be made into a commodity only if it can be embedded in something that can be owned and be assigned a market value. This something is not the information itself, but the service provided by the spy. In one case (i.e., spy used once), there is no commodity; in the other case (i.e., spy used repeatedly), there is a commodity. So, it would appear that information commodities are not fundamentally different from other commodities, and the notion of an information commodity entails no contradiction.
4.1.2
Similarities: Behavior of Market Value
Information does not get used up or run down the way a car or a house does. But the market value of information commodities behaves much like that of other commodities. Some information products and services are valued according to their age (e.g., financial data), others according to their innovative design (e.g., software), but all information commodities are subject to the laws of supply and demand. Since information is defined here as a nonmaterial ability, it is awkward to describe an information commodity as something that contains information. The verb “contain” normally conjures up images of material things in a receptacle like a box or a can. However, it is not unusual to refer to mind as a container of ideas. So, when the context calls for it, we use the term “contents” to refer to the information, and “container” to denote the system-artificial or natural-furnishing the information. In the inside information example, the focus was on valuability. The distinction between information and information commodity is also useful for analyzing the question of information’s alleged inappropriability. This is defined by Priest (1985, p. 20) as “the difficulty in receiving full market compensation for the creation of information due to the problem of exclusion.” The problem of exclusion stems in large part from the low cost of producing additional information commodities, or, in more familiar terms, the low cost of copying. Thus, it is not a direct consequence of information’s inherent shareability. This is a very important point. It suggests that it is the mode of development and production of information commodities-not inherent features of information-which is driving the information marketplace. Innis (195 1) placed heavy emphasis on intrinsic features of communication media as determinants of monopolies of knowledge. But he also recognized the influence exerted by methods of production. Innis observed, for example, that the limited sources of the reeds used to make papyrus reinforced the knowledge monopoly of the Egyptian priesthood. Mowshowitz (1984) has argued that technology-induced social change is stimulated by extrinsic
INFORMATION AS A COMMODITY
265
factors (i.e., based on social relations) and technocultural paradigms as well as intrinsic features of technology. Let us not then be misled by the peculiar, intrinsic features of this intangible we call information. Although information may not be exchanged, containers of information are, and information always comes in a container of some sort. So the problem of exclusion is fundamentally the same as for most commodities. What about the creation of information commodities whose marginal cost can be expected to approach zero (Schmid, 1985, p. 16)? The commodity’s creator simply has to design a marketing strategy that amortizes development costs more quickly than might otherwise be required in order to profit from the investment.
4.3 A Naive Taxonomy Following the United States National Commission on Libraries and Information Science (1982, p. 17), one may distinguish three types of information commodities: 0
0 0
resources products services
Although not exclusive, these categories are exhaustive, and provide a reasonably good first approximation to a classification scheme.
Resources. These commodities are information systems from which information products and services can be derived. An expert system shell is a sophisticated example. An expert system shell is a software design tool for the construction of specialized expert systems. One uses such a tool to build an expert system for a specific application, such as a bank’s loan approval process or a general contractor’s procedure for scheduling subcontractors. Management information systems constitute another example. Such systems are designed to serve as intelligence aids for managers. Typical of the products of a management information system are reports on various aspects-e.g., sales by territory and product for a given time period, orders, payroll, etc.-of an organization’s activities. Products. Products are discrete packages of information, provided to a number of users without modification. A low-tech example is the telephone book. Corresponding to this in the computer age is the CD/ROM containing an encyclopedia. On-line databases, such as Knight-Ridder’s DIALOG offerings, may be viewed as discrete packages of information
266
ABBE MOWSHOWITZ
with processing power. This example taxes the taxonomy. An on-line database may very well be used to develop information products and services. Should it therefore be classified as a resource? Worse yet (for the taxonomy) expert system shells are provided without modification to many users. Should we call them products? Software packages for word processing, spreadsheet analysis, etc., present similar ambiguities. They are mass produced, but as discrete packages of information they contain a great deal of processing power, and very often are used to create information products and services. Word processing software is used to provide secretarial services, and, in conjunction with other programs, to provide typesetting services.
Services. Information service commodities are distinguished by the different ways to which they are provided to users. The prototype is the computer or software service bureau. Services are information system applications provided to specific users upon request. All of the applications mentioned under resources and products are candidates, so long as they are provided to a single user or organization by some independent organization. 4.4 Toward an Improved Taxonomy The taxonomy of the National Commission on Libraries and Information Science allows for distinguishing commodities on the basis of (1) what they are used for, (2) how they are constructed, and (3) who provides them. It also assumes that the way an information commodity is built says something about how it can be used. There may be such a relationship, but it is not a simple one. Certainly, an item provided without modification to many users may, like a word processing system, be sufficiently complex and versatile to be used to create other information commodities. Conversely, a commodity designed for use in producing other commodities may, like an expert system shell, be mass produced. The three-category scheme of the National Commission is clearly deficient. But it probably would not help to patch it up by adding a category or two. Information technology and marketing arrangements are changing too rapidly to characterize information commodities in a static taxonomy. A way around this difficulty is to treat specific commodities as points in a space defined by a set of elements containing the three criteria mentioned earlier. The dimensionality of this space would be determined empirically, i.e., by constructing an extensive catalogue of information commodities. The definition of an information commodity provides a basis for a classification scheme. As we have already explained, anything that is
INFORMATION AS A COMMODITY
267
appropriable and has market value may be turned into a commodity. In particular, information can be turned into a commodity i f it is possible to incorporate it in something that can be appropriated and valued in the marketplace. Clearly this condition is satisfiable, since business people have been marketing information products and services for some considerable time. The market value of an information commodity derives from its capacity to support decision or control processes by furnishing information. This capacity depends on the information content of the commodity, but also on other factors. These factors will be detailed in our presentation of a value-added model, which we will interpret as a five-dimensional classification of information commodities.
5. Making Information Commoditiess 5.1
Introduction
The market value of an information commodity derives from its capacity to furnish information. l o Thus, we will examine the specific contributions of various attributes of information commodities to their capacity to inform, and hence their respective contributions to market value. Every information commodity has a kernel of information that is the particular “ability to decide or control” sought by a potential user. However, that kernel must be carried by an agent, whether a human being or an artifact, and must be accessible to a potential user in appropriate form to be of value.” Information-other than the kernel-may again come into play here, but so do other ingredients. As explained earlier, information commodities are created by embedding information in something that can be owned and that can be assigned market value. The embedding may be in an artifact or a person. To allow for both possibilities, we will use the term “carrier.” Information carriers have three fundamental characteristics: (1) storage capabilities, (2) processing capabilities, and (3) communication capabilities. An important attribute of the second characteristic is the degree to which human intervention is required in order to process information. Storage, processing, and communication are highly complex characteristics and figure prominently in the production and marketing of information commodities. Here we merely want to point out the key elements involved in the removal and separation of information from the human being. Modern information technology has ushered in a new era of information handling in carriers, but it is not without antecedents. Examples of information carriers are almost as old as the written record in which information is represented as a string of symbols over a finite alphabet. Clay tablets with
268
ABBE MOWSHOWITZ
cuneiform inscriptions may not have been traded in the ancient world, but there was a market for papyrus scrolls. Closer to our own times, the book has long been an important information commodity. There are many other examples that antedate the computer age. Throughout history there have been specialists selling advice and timely information to kings, potentates, and investors. But these examples pale into insignificance when compared with the vast opportunities created by information technology. Computers have increased the possibilities for producing information commodities, and data communications technology has extended the opportunities for marketing them (U.S. Congress, 1986; Stallings, 1985; Strassman, 1985). As Schiller and Schiller (1982) have expressed it: “[I]nformation had commercial uses and was sold long before we realized we were living in an Information Society. What is different today is that a much wider range of information has become profitable because it can be flexibly processed, selectively rearranged, and quickly disseminated by a virtuoso new technology.” Many observers have called attention to the economic significance of computer-based information. As early as the closing year of World War 11, Vannevar Bush (1945) foresaw the development of sophisticated information systems that would serve as intelligent assistants to professionals in many different fields. With advances in computer and communications technology, some of Bush’s rather prescient speculations have actually come to pass. For example, many practicing lawyers routinely make extensive use of on-line databases (such as Mead Data Central’s Lexis or West Publishing’s WestLaw) for tracking down judicial precedents on legal questions; researchers in various fields use commercial bibliographic retrieval systems (e.g., Dialog) to search for literature relevant to their projects (Silverstein & Elwell, 1985; Williams, 1985).
5.2 Value-Added Model of Information Commodities Information commodities make use of storage, processing, and communication capabilities in a variety of ways to add market value to information.’* We have identified five major value-adding dimensions of information commodities. These are: 1. kernel 2. storage
3. processing 4. distribution 5 . presentation
INFORMATION AS A COMMODITY
269
PRESENTATION DISTRIBUTION PROCESSING
KERNEL
FIG. 2. Five-dimensional model of an information commodity.
An information commodity may thus be viewed as a point in a five-dimensional space. Before computers, the critical dimension of an information commodity was almost always the kernel. That is becoming less so everyday, as products and services furnishing essentially the same information compete on the basis of other dimensions. The market-value contribution of a given dimension varies with the information commodity. One such commodity may derive its market value from the kernel, while another may be valuable because of innovations in, say, storage or presentation. These dimensions may be interpreted as means of providing access to i n f ~ r m a t i o n . 'In ~ this sense, the dimensions correspond to a telescoping series of boxes. The innermost, kernel, is contained within storage, which is contained within processing, which is, in turn, contained within distribution, which is, finally, contained within presentation. These relations, illustrated in Fig. 2, signify logical rather than physical containment.
5.3
Description of Model Components
Kernel. The kernel of an information commodity is the information furnished by it. In keeping with our definition of information, the kernel can be modelled as an organized system of declarative and procedural statements. Giving a complete characterization of the kernel would
270
ABBE MOWSHOWITZ
obviously entail solving many outstanding problems in epistemology, so we will have to content ourselves with the more modest goal of describing value-adding features and providing illustrative examples. l4 First, let us examine the ways in which the kernel may be structured and organized, so as to enhance the usefulness of an information commodity to potential buyers. Indexing is one important feature of the kernel of an information commodity. This holds for research reports and textbooks as well as catalogues. An index or indexing scheme is an aid to the user. In conventional terms, it defines a mapping of queries to the body of information. An appropriately formulated question, thus, can be expected to yield answers drawn from the body of information. The implementation of the mapping is especially important for the marketing of information commodities. Here is where the computer plays a vital role. The processing power of the computer makes it possible to implement such mappings in “real time.” Computer-based searching algorithms, for example, are essential components of on-line databases. We will return to this issue when we discuss the processing part of the model. Arrangement is another important feature of the kernel of an information commodity. By “arrangement” we understand the different ways in which the parts of a book or computer program are linked to each other. The chapters of a book follow each other in sequence. Reference may be made in one part of a book to another part or to another body of information by means of a citation. Subprograms of a structured computer program are also linked to each other by means of a reference scheme. Each subprogram constitutes an identifiable block of instructions which may be invoked by another subprogram (or itself, in some cases). Different applications call for different types of linkage. Textbooks for college freshmen typically make heavy use of internal references, but do not usually cite many external sources. On the other hand, a scientific research paper would normally have a number of references to source material, but relatively few internal references. The structure of primitive elements in the kernel is also important in determining the market value of an information commodity. For a file (e.g., products, customers, subscribers, employees, etc.), the structure chosen to represent an item has implications for data entry, storage, retrieval, and reporting. For some applications a hierarchical or tree structure is appropriate; for others, a relational structure may be preferred. The idea of a data structure is also applicable to more traditional forms of information, such as reports. Sentences, charts, tables, diagrams, etc. are the sorts of data structures commonly used in reports. Accuracy of data items is another important factor in assessing the kernel’s contribution to market value.”
INFORMATION AS A COMMODITY
271
Traditional commodities such as books and reports furnish mainly declarative information. The kernel of a book consists of the information represented by the text, together with the structure implicit in the organization of the text. Aids t o the reader, such as the table of contents, summary, index, glossary, etc., correspond to the retrieval algorithms associated with on-line databases. But unlike retrieval algorithms, these aids are “executed” by the user, not the carrier itself. That is to say, books have no internal processing capability. Computerized information commodities such as on-line databases also furnish declarative information. A bibliographic retrieval system, for example, provides a means of compiling lists of references in a given subject area. On-line databases differ from books in that the procedural information of the retrieval algorithms is a major contributor to the commodity’s market value. The kernel of such a commodity is a structured collection of document citations. An on-line legal database, for example, has a kernel consisting of a collection of texts reporting judicial decisions, together with an indexing scheme that allows for orderly updating and systematic access to the reports. Computer programs, too, are information carriers and may be turned into information commodities, commonly called software packages. The kernel of such packages, unlike that of books and databases, consists primarily of procedural statements. Declarative statements are important in a software package, but the procedural component is its dominant feature. Typically, the kernel is a collection of ordered sets of programming language instructions which can be executed by a computer. Algorithm and program design issues are relevant here. The efficiency of an algorithm, as measured by execution time and storage requirements, may be an important factor in assessing the kernel’s contribution to the market value of an information commodity. Program-design features that affect the development and maintenance of software, as well as its efficiency, are also important factors. Note that databases and software are not the only kinds of computerbased information commodities. Computers and communication devices, too, may be information commodities, according to the definition. This interpretation is readily understood with reference to the five-dimensional model. A computer can be viewed as a device that provides the processing power needed to make full use of the potential of information carriers such as databases and software. Similarly, a communication device may serve as a means of gaining access to a database or a computer program. In both cases, the device or machine may be essential to furnishing the ability to decide or control. The kernel of an information commodity is but one determinant of market value, and is not always the most important determinant. A
272
ABBE MOWSHOWITZ
microchip, which may be used in a computing device, for example, derives its market value mainly from its processing capabilities. The specific contribution of the kernel to the price of an information commodity derives partly from the cost of developing it, and partly from the economic value that potential users ascribe to it. The relative weights attached to these factors may vary widely.
Storage. The storage dimension of an information commodity encompasses both the medium used to store information and the method used to gain access to the medium. Historically, storage has been the most important aspect of information artifacts (e.g., books and periodicals). It warrants attention as a dimension of modern information commodities because of the role it plays in distribution or in making such commodities available to users, as well as its basic function in the operation of automatic computing devices. The information furnished by an on-line database, for example, may be stored in the secondary memory of a computer system. In this case, storage is integrally connected with the processing system, although it is conceivable that derivative products might be offered on CDIROMs or other storage devices. For a book, the storage medium is the paper on which it is printed. The kernel is embedded in the strings of symbols inscribed on the paper. For software, the information (represented as statements) is usually stored in machine-sensible form on a medium that can be handled by a computing device. Examples of media include the high-speed Random Access Memory of a computer, magnetic disks, optical disks, and magnetic tape. Software for personal computers, text files, and data files are now routinely exchanged by means of floppy disks. Perhaps this medium’s importance will diminish as network storage facilities, in conjunction with electronic information transfer, become more commonplace. The main attributes of storage are capacity, speed of access, re-usability, reliability, portability, and longevity. Storage shares with other elements of information technology a pattern of rapid advance. Progress in floppy, magnetic disk drives provides an illustration. More and more information is being packed onto smaller and smaller surfaces and accessed at increasingly higher speeds. In addition, the evolution of high-capacity optical storage systems are of major importance in the creation of information commodities. Both the floppy and the CD/ROM are critical value-adding components of an increasingly large class of products. Processing. As indicated before, traditional information commodities such as books are essentially passive: they do not have the ability to
INFORMATION AS A COMMODITY
273
reorganize or re-present the information they carry. The human user (reader, in the case of a book) has to do whatever processing there is to be done. A computer system, on the other hand, replete with CPU, operating system and application programs, can process and reconfigure information. The on-line database is an example of an information commodity that depends on the processing power of a computer. This processing power is essential for implementing the storage and retrieval algorithms designed to update the files and to search for specific items or records. Although the computer providing the processing power is not itself a part of an on-line da.tabase, its processing power is. Like the on-line database, a software package consisting of computer programs stored on floppy disks does not itself have the ability to execute instructions, rather it is designed to be used in a computerized processing environment. Both an on-line database and a software package presuppose the availability of computing power sufficient for implementing the procedural statements of their respective kernels. The value added by processing depends on the elements that make up the information commodity. Some of these elements are an integral part of the commodity, in the sense of belonging to it, others are merely used by the commodity. This distinction between belonging and use is predicated on ownership. A computer, for example, may be part of a package designed for some specific business application, or the software may be sold independently of the hardware. Both software and hardware contribute to processing power. The contribution of software occurs through enhancements in the processing environment (e.g., operating system, translators, and other utilities) in which the commodity is designed to be used. This type of contribution is illustrated by software packages designed for use in particular operating systems, such as UNIX, or by one intended for use with a certain type of computer architecture. The peculiar advantages or disadvantages of the processing environment are thus conferred on the commodity.
Distribution. The distinction between belonging and use is also applicable to distribution: some elements of distribution may belong to a commodity, others are used by it. Telecommunications infrastructure is an obvious example of the latter type of contribution. Facilities of common carriers such as ordinary telephone lines or data networks are used to deliver on-line database services. An on-line service may be sold as a package, however, including hardware (e.g., a modem) and communications software. Data communication systems are to distribution what computer systems are to processing. The specialized communications hardware and software that belong to the commodity are direct, value-adding elements of
274
ABBE MOWSHOWITZ
distribution. Value is added indirectly when the use of an information commodity presupposes a particular distribution environment. On-line databases exemplify the way in which distribution may enhance the market value of an information commodity. For example, a kernel, together with the storage and processing power of the computer, are not enough to make an on-line legal database accessible to practicing attorneys. The package is incomplete without a communications network that allows users access to the files from remote locations. Traditional information commodities such as books are normally distributed by means of mechanical transport systems. Such systems are inherently slower than electronic or optical transmission of information. While distribution of software may be accomplished by similarly physically transporting the medium on which it is stored, it is also possible to distribute software by transmitting the information in the software from one computer to another via a network or a direct link. Timeliness of delivery is a critical aspect of many information commodities. A stock market quotation service, for example, would have relatively little value to a trader if it were delivered in the form of printed lists through the postal service. Similarly, absent the ability to update itineraries in real time, the market value of airline and hotel reservation services would be very limited. So, the elements of distribution, although not necessarily integrated into a given commodity, may be essential to its market value. These examples point to a continuum of information commodities defined by the commercial importance of timely delivery of the kernel. At one end of the continuum are products and services (such as archival storage and retrieval systems) that must be updated and/or accessed relatively infrequently. At the other end are commodities (such as on-line quotation and real-time control systems) containing information that must be updated and/or accessed from one moment to the next. Certain marketing databases containing names and addresses of potential consumers lie between these extremes. Presentation. The final link in the value-adding chain between producer and consumer is presentation. Storage preserves the kernel, processing implements it, distribution brings it within reach, but something more is required to make the kernel fully accessible. The information must be presented to the user in a comprehensible form. To be comprehensible, information must be displayed and represented in an appropriate form. Items retrieved from an on-line database, for example, must be identified and presented in a way that enables the user to perceive and comprehend the information as responses to queries. Similarly, messages generated by a
INFORMATION AS A COMMODITY
275
computer program must be suitably presented to enable the user to make sense of them. Representation requirements vary with the type of user. If the user is a person, information is normally conveyed in the form of natural language text or specially formatted numbers and symbols. Menus, icons, and other “navigational” aids may also be used. Software packages, for example, generate messages in a modified, natural language that are displayed on a monitor. If the user is a machine or a process, the commodity must structure its input and output so as to be compatible with the format adopted by the machine or process, i.e., the information must be formatted according to a protocol or convention shared by both sender and receiver. Common modes of display include printing on paper and display on a monitor. Internal factors affecting the appearance and readability of printed text include page size, paper quality, type face, style and size of the font, page layout, etc. Factors external to the storage medium may also affect presentation. For example, if a very small type font is used to compress the text (as in the two-volume edition of the Oxford English Dictionary), many readers would require a magnifying glass, or, perhaps, special lighting. Similar observations apply to monitor displays. Consider the interaction of a human user with a software package. Instructions from the user are entered at a keyboard or related device linked to a computer. Internal factors in this case include the properties of the display (e.g., size, resolution, chromaticity, etc.) and of the keyboard (e.g., available functions, size and layout of keys, action of keys, etc.). Also included among the internal factors are the features of the display of information on the screen. Mechanisms designed to call attention to particular items on the screen, spatial arrangements of the information displayed, the division of the screen into multiple work areas, etc., are cases in point. Factors external to the display and keyboard are also important in this example. Lighting and the physical placement of the display and keyboard are important ergonomic concerns and affect the presentation of the information commodities. All of these characteristics of presentation point to opportunities for adding value to an information commodity. A software package may be superior to competing products by virtue of an exceptional screen layout; a database system may outshine its rivals because it accepts commands from the user in the form of simple key combinations. These features may be just as critical to the marketability of an information commodity as the attributes of its kernel, storage, processing, and distribution components. Current developments in graphical user interfaces and multimedia technology underscore the commercial significance of presentation.
276
ABBE MOWSHOWITZ
Cost is an important consideration in all the value-adding components of an information commodity, since these components are rarely free and producers must take account of cost in setting prices. Even if information is in the public domain, there are costs associated with gathering and organizing the information in the kernel of an information commodity. Storage also adds to production costs. The amounts involved vary from the low cost of a floppy disk to the high cost of a sophisticated disk drive. Processing costs for hardware and software define an even broader range. Presentation now figures prominently in the competition between information commodity producers, and, thus, presentation costs are becoming ever more important in the pricing of such commodities. Distribution costs are especially important in relation to the emerging network marketplace for information commodities. Economies of scale in distribution can be achieved by load and resource sharing in a network. Networks also provide a means by which communities of buyers and sellers interact with each other. Economies of scale imply lower distribution costs; flexible interaction means better opportunities for development and marketing. Thus the network marketplace may be expected to facilitate the development and introduction of a rich variety of information commodities.
5.4 Applications of the Model In this section, the five-dimensional model is used to analyze three families of commercially available banking products and services.16 These products and services are designed primarily for business, rather than individual, clients. The offerings of the first family support electronic exchange of information between customers and the bank; those of the second family encompass a wide range of computer-based banking functions including information exchange; the third family includes traditional banking services. Products of the first type emphasize the kernel and the distribution components; those of the second type add an additional emphasis, namely, the processing component; the third type supplies a broad range of features. All three types are examples of information commodities that have value in the marketplace because their respective components (i.e., kernel, storage, processing, distribution, and presentation) offer value (to varying degrees) to potential users.
Information Exchange Products. The products in this family differ only in their respective kernels. That is to say, the storage, processing, distribution, and presentation components are the same for every member of the family. Thus we describe these components for the family as a whole, and give the kernel for each individual product.
INFORMATION AS A COMMODITY
Features Common to Family 1 Stor age Secondary memory of a bank’s mainframe Processing Bank’s mainframe Distribution Public packet-switched network PC software for communication with the bank Presentation User PC operating under MSIDOS
Product 1.1: Bank Account Information Kernel Declarative Current account balances Deposit and loan balances Transaction information Procedural e-mail Payment initiation Product I .2: Securities Account Information Kernel Declarative Portfolio balances Status of orders Procedural e-mail Order initiation Product 1.3: Letters of Credit Kernel Declarative Status reports on letters of credit Procedural Opening letters of credit e-mail Product 1.4: Currency Trading Kernel Declarative Status reports on currency transactions Deposits and off-balance postings
277
ABBE MOWSHOWITZ
Procedural Initiation of currency and deposit transactions e-mail Product 1.5: Credit Management Kernel Declarative Information on accounts receivable, stock in trade, etc. Timetable of interest payments Status reports on use of credit lines Procedural (No procedural component) Product 1.6: Market Information Kernel Declarative Exchange rates Precious metals prices Money and capital market interest rates Stock, bond and options quotations Money market news Financial news Stock market research information Procedural (No procedural component) General-Purpose Products. The products in this family, like those of the former family, differ only in their respective kernels. That is to say, the storage, processing, distribution, and presentation components are the same for every member of the family. Thus, again, we describe these components for the family as a whole, and give the kernel for each individual product. Features Common to Family 2 Storage User PC (mainly for storing applications software) Mainframes of banks providing information Processing Hardware User PC (mainly for running applications software) LAN cards (for clients’ Local Area Networks running Family 2 products Mainframes of banks providing information
INFORMATION A S A COMMODITY
279
Soft ware Report writer Application integrator LAN management software Distribution Public packet-switched network PC software for multibank communications Automatic dialing Presentation User P C operating under MS/DOS Function keys to invoke commands Product 2.1: Multibank Account Management Kernel Declarative Multibank balance and transaction reports Liquidity projections Procedural Automatic dialing to client’s banks Cash flow management Multibank money transfer Product 2.2: Fixed-Income Investment Management Kernel Declarative Management information Procedural Administration of interest-bearing investments and debt obligations Product 2.3: Foreign Exchange Management Kernel Declarative Management information Procedural Administration and analysis of foreign exchange contracts Administration of options and swaps Human-Based Products This family of human-based products may also be modeled in the value-added framework. The storage, processing, distribution, and presentation components may be characterized as follows.
280
ABBE MOWSHOWITZ
Features Common to Family 3 Storage Human expert supported by documents and computer systems Processing Human expert supported by computer systems Distribution Face-to-face interaction Telephone Document exchange Presentation Oral communication Printed text with illustrations Product 3.1: Financial Management Kernel Declarative Client-specific information General financial information Procedural Funds management Money management Risk management Product 3.2: Treasury Management Kernel Declarative Client-specific information General financial information Procedural Information flow Applications Organization of treasury function Analysis of Potential Product Enhancements. As we have noted, the difference between information-exchange and broader computer-based applications-viewed as information commodities-is one of degree, rather than of kind. The value of the products in both of the electronic banking families lies in the value added by their respective components, i.e., kernel, storage, processing, distribution, and presentation. However, the differences between the two families are important only insofar as they reflect differences in customer demand.
INFORMATION AS A COMMODITY
281
The distinction between supply and demand perspectives is a useful one to keep in mind. From the standpoint of the development and implementation of electronic banking applications, it is advantageous to emphasize the resemblances between products. This follows from the possibility of exploiting such resemblances to achieve economies of scale and scope (e.g., using the same type of personal computer as the presentation vehicle in both families). On the other hand, for marketing purposes, it may be useful to highlight differences in order to present the customer with a rich product mix. A unified platform can enhance both development and marketing possibilities. Such a platform supports a modular approach to development and marketing. On the development side, such a unified platform simplifies the design and implementation of new products. Products can then be created by introducing new modules, or by combining existing modules in new ways, and may be marketed on the basis of module-groups. For example, all clients could be offered a single basic module-group, along with a choice of other module-groups. We now present different enhancements to the electronic banking products in terms of the five components of an information commodity. Since the kernel presents the greatest degree of variability, it is treated separately from the other components. Storage. Currently, most of the (declarative) information, e.g., clientspecific data, generic information purchased from financial on-line vendors, etc., that is made available to clients is stored on the mainframe computer of the customer’s or a corresponding bank. Local PCs are used mainly to store procedural information, i.e., the management software of Family 2 applications. However, it could be of interest to make greater use of the user’s PC for the storage of client-specific data. One possibility would be to download transaction data to a “client inquiry database.” Transaction data covering the latest month, for example, could be stored on the client’s PC. The bank’s system could keep a record for each client of the last entries downloaded, so that only a portion of a given client’s transaction record would have to be updated at login time. This arrangement would reduce connect time, thus lowering communication charges; moreover, it would reduce the time it takes a client to obtain account information, since searching would be done locally. Another way of using storage to add value to electronic banking products would be to create a specialized database package consisting of a client’s long-term transaction data. Again, a PC-based application would be advantageous. Such an archival, client database would provide opportunities for the development of new software to manage and analyze the client information in these databases.
282
ABBE MOWSHOWITZ
CD/ROM is a high-volume storage medium with great potential for the enhancement of electronic banking products. This will be considered further under the heading of distribution.
Processing. As suggested above, it would be desirable to shift much of the processing currently performed by the bank’s mainframe for Family 1 functions to the user’s personal computer. This goal could be accomplished by the development of a single platform for both families. PC hardware and software are examined under the heading of presentation. Distribution. The value added by distribution comes mainly from the use of a public packet-switched network providing remote user access to data and software. A complementary distribution possibility that might be considered is the use of CD/ROM technology. This technology is well suited for the distribution of large volumes of data. For example, historical price data on commodities, stocks, options, currency, etc., as well as bibliographic index packages could be provided in this form. As noted earlier in relation to the client database idea, this kind of high-volume data would create opportunities for analytical and managerial marketing software. /
Presentation. Both famdies of electronic banking products were typically designed for presentdon to the user on IBM-compatible personal computers operating under MS/DOS. Since clients may be using information obtained from these products in spreadsheet, database, or word processing programs, and may thus have occasion to switch back and forth between applications, some kind of windowing capability would be desirable. This ability to have one or more applications simultaneously active and sharing space on the monitor screen could add significant value to the presentation component of an electronic banking product.
New Products Suggested by the Value-Added Model. The following table is a partial listing of the array of value-added ingredients that could be used to make new or extended products. Note that a new product would consist of a subset of these ingredients together with some or all of those of an existing electronic banking product. Kernel Declarative New sources of information (e.g., on insurance products) Procedural Analytical software Extended trading facilities (e.g., options and currency futures)
INFORMATION AS A COMMODITY
283
Storage CD/ROM Processing PC platform for product delivery CD/ROM reader Distribution Communication links to new information providers CD/ROM distribution of high-volume databases Presentation Graphical user interface Examples of new products built on existing ones include: 1. Analytical software to support cash and treasury management. 2. Trading-support software (e.g., knowledge-based programs for options and currency futures trading. Analytical and trading-support software are currently available from specialty vendors. Such products could be made available to banking customers under leasing agreements with specialty vendors. If this course were followed, banks could rely on extensions of existing products without having to develop new products from scratch. 3. Client database systems for recording archival transaction data. This is a self-service type of product, one that shifts some of the burden of data management to the client. It could be designed to make use of CD/ROM technology for storage and distribution. 4. On-line databases on financial products such as insurance offerings or trade-related information such as tariffs. For example, on-line access t o information about insurance products could be provided to clients in cooperation with insurance companies. It might also be possible to allow a client to order insurance coverage on-line. More generally, banks could investigate product possibilities of this kind in cooperation with noncompeting firms in the financial services arena.
The foregoing discussion shows how the five-dimensional model can be used to analyze information commodities with a view to enhancing existing products or developing new ones.
5.5
Estimating Supply Price
Supply price refers to the amount charged by the vendor of an information commodity. The cost of production is not the only consideration in making a pricing decision, but it is a critical one, and can serve as an
284
ABBE MOWSHOWITZ
estimate of the lower bound on the supply price. A vendor must charge no less than the cost of production to break even on a sale. Under the assumption that a commodity is not priced at a loss, one can take the production cost to be a lower bound on the supply price.I7 The five-dimensional model provides a framework for determining the cost of the development or production of an information commodity. The analysis of development cost can be resolved into the following procedure: 1. Identify major development tasks corresponding to value-adding dimensions. 2. Refine the major tasks to isolate the separable subtasks in the development process. 3. Establish interdependencies between the subtasks, i.e., determine which subtasks feed information to which other subtasks. 4. Construct a graph representing the interacting subtasks obtained in (1) and (2). 5 . Determine the costs of the subtasks, and, for each, determine the allocation of outputs to the subtasks dependent upon it. 6 . Use the graph representation to answer questions about overall development costs and to explore the cost implications of changes in the development process. As an illustration of this procedure, let us consider the problem of determining the development cost of an electronic banking product. For simplicity, suppose the product is to offer archival data on CD/ROM, and that updates are to be provided monthly. Following step 1, we establish the following correspondence between the value-added components and the major development tasks: Task 1 (designing and constructing the database) Task 2 (obtaining equipment and implementing procecure for updating CD/ROM Task 3 (building client software for using Processing: database) Distribution: Task 4 (arranging for shipment of CD/ROM and software package) Presentation: Task 5 (selecting a graphical user interface)
Kernel: Storage:
The graph in Fig. 3 is a representation of one particular way of organizing the development process-clearly, it is not the only possible way. This graph shows the relations between the major development tasks.'* The tasks defined in the representation shown in Fig. 3 have to be further refined for purposes of cost analysis. Obvious refinements include dividing
INFORMATION AS A COMMODITY
285
FIG. 3. Major development tasks.
tasks 1 and 5 into design subtasks ( l a and 5a) and implementation subtasks (1 b and 5b), respectively, and differentiating task 2 into equipment subtask (2a) and updating subtask (2b). A modified graph is shown in Fig. 4. Further refinements of tasks 1, 2, and 5 , as well as differentiation of the remaining tasks may be required in order to complete the analysis. The next step in constructing the graph model is the assignment of weights to the nodes and the edges. Nodes are assigned weights reflecting the costs of processing performed by the subtasks they represent. Note that the output of a given node is the sum of the processing cost at the node and
FIG. 4. Refined development tasks.
286
ABBE MOWSHOWITZ
the inputs to the node. The weight assigned to an edge ab (directed from node a to node b) is the cost of the input passed from a to b. The total cost of developing the commodity is the sum of the inputs to the end node. In the example shown in Fig. 4, this is the sum of the weights attached to the edges directed from nodes h,2b, 3 and 4 to End. Assigning costs to the nodes and edges of the graph is by no means trivial. We will return to this issue in the discussion of demand pricing. The same type of analysis can be applied to the process required to produce a given information commodity for sale. Knowledge of the total cost of production and development would enable the vendor to determine a break-even price for the commodity. As argued earlier, this provides an approximate lower bound on the supply price.
6. Toward an Inventory of Information Commoditie~’~ New information products are being developed and brought to market at a prodigious rate. A catalogue of such commodities would almost certainly be obsolete before its release date. The aim of this section is to sketch some of the main lines of development in selected commercial areas, namely, manufacturing, banking, electronic information, securities trading, credit reporting, and software. These areas cover the production of goods (manufacturing), the services provided (banking, securities trading, and credit reporting), and new information activities (electronic information, software). Each area will be described briefly in turn.
6.1
Manufacturing
The design of information commodities in manufacturing is in step with the modular organization of production in the factory. As rigid production lines give way to more flexible arrangements, data handling and communication become as important as the machine tools populating the factory floor. The price of flexibility is a complex system of data-linked machines controlled locally by microprocessors and globally by mainframe computers. The increasing importance of computer communications has led scientists, engineers, and managers to think about the role of information in manufacturing. From directing attention to something as an issue, it is but a short step to treating it as an independent element. Manufacturing companies are on the threshold of creating information products and services both for their own use and for sale to third parties.
INFORMATION AS A COMMODITY
287
Numerical control and robotics are the most prominent manifestations of the general process of separating information from the people on the factory floor. These components of factory automation are likely to be turned into information commodities in the near future. Consider the case of numerical control. In the course of embedding the skill of a machinist in a computer program for a controller, an artifact is created that takes on a life of its own. Before numerical control, one could not have the skill without the human machinist. With the artifact it is possible to contemplate new arrangements. In particular, there is some choice-not available before-in obtaining the program to control the making of a part. The program can be written in-house as currently done or could be purchased from an outside contractor. In addition, such a software package could be sold to third parties. Similar opportunities are now evident in the area of robotics. Other areas of manufacturing such as product design and material handling will offer additional opportunities for the development of information commodities in the coming years.
6.2 Banking Banks were among the first commercial organizations to introduce computers. From humble beginnings in check processing, computer-based information systems have spread to many areas of banking. These areas include lending activities, letters of credit, portfolio management, home banking, and others. Since money itself may be regarded as symbols in accounting systems, banking reduces, mainly, to the manipulation of information. As in all businesses, there are two streams of commoditization in banking. One derives from support operations, while the other is an integral part of the organization’s main product or service lines. The automated teller machine (ATM) is an information commodity that grew out of support operations. Home banking systems-whatever their market prospects-are a direct extension of ATMs. However, if (or when) successful, they are likely to cast off this association and serve as vehicles for a variety of bank offerings. The commoditization of mainline banking services is being driven by changes in the nature of banking itself. As expressed by Regan (1986, p. 4), “it is becoming increasingly critical for banks to derive profits from their non-credit services and investment banking services.” Competition in the financial services market and the decline of lending to multinational corporations (who lend directly to each other) are forcing banks to turn to the marketing of information and information systems.
288
ABBE MOWSHOWITZ
6.3 Securities Trading Like banking, securities trading is an information business in which information commodities are old hat. There has long been a market for investment advice and securities prices, for example. Information technology has raised the level of sophistication of products and delivery systems, and has created a global marketplace. The marketplace for information in the securities industry has two main components: (1) retail business and (2) professional trading. Retail business refers to the small investor placing orders with a brokerage firm. Professional trading refers to the investment activity of brokerage houses, banks, pension funds, and other large money managers. Although the telephone is still the principal instrument of the average investor, competition for retail accounts appears to have driven brokerage houses to market computerized trading packages. A typical package consists of a microcomputer and modem together with communications software. Armed with this equipment and appropriate account numbers and passwords, an investor can place orders without having to talk to anyone. In addition, it is also possible-for a fee-to obtain quotations and financial information from an on-line vendor linked to the brokerage house’s computer system. Information commodities are also being developed for the professional trader. These are very sophisticated computer programs designed to optimize rates of return in specialized investment vehicles. Computer systems for options and fixed-income securities have been developed and marketed by several firms in the securities industry.
6.4 Credit Reporting Credit reporting has two separate components: (1) consumer and (2) business. Thanks to information technology, each of these has become global in scope. The ability to provide merchants with real-time access via global telecommunication systems to databases furnishing consumer credit data has fueled a major expansion of credit card transactions. Commodity formation in the consumer credit industry is closely tied to systems used to collect and deliver data. Because they facilitate the automatic collection of a variety of consumer information, including data on buying preferences, the growth in computerized shopping transactions is likely to result in new commodities. The business side of credit reporting has also expanded and refined its commodity offerings. Information technology has led to improvements in
INFORMATION AS A COMMODITY
289
the gathering and delivery of data just as it has in the consumer credit field. More important for the business side is the creation of mammoth, centralized databases on the activities of companies. Dun & Bradstreet, for example, maintains a computerized database on more than six million companies in the United States. This rich lode of information in a computerized system allows Dun & Bradstreet to offer clients a whole range of information products and services, from simple reports on a firm’s creditworthiness to in-depth studies of the firm’s performance and prospects.
6.5
Electronic Information Industry
Unlike manufacturing and the service sectors described above, this industry is a product of the computer age (see Williams, 1985). On-line database sales in 1984 amounted to $1.57 billion (Silverstein & Elwell, 1985). Although only 3% of publishing industry revenues of $52 billion that year, on-line sales have been growing at double-digit rates-considerably higher than overall sales growth in the publishing industry. In the business information domain, the on-line segment accounts for nearly 15% of total revenues. The vast majority (over 9OVo) of users of on-line databases are businesses. Industry and the legal profession account for two-thirds of usage (measured in connect time) and nearly 80% of revenues. Academic and government users generate one-quarter of usage and about 15% of revenues. Although consumers contribute a very small part of total on-line revenues, the consumer segment is the most rapidly growing segment. Since the rate of sales growth in the business and academic segments is slowing, on-line vendors are now marketing more aggressively to consumers. A notable example is a DIALOG service called Knowledge Index, which provides access to a subset of DIALOG databases during nonbusiness hours for a modest fee that bundles together telecommunications as well as connecttime charges.
6.6
Software Industry
As the market for computer systems has grown and differentiated, the notion of software has come to replace the concept of a computer program as the term of choice to describe the “invisible hand” guiding the computer. This is first and foremost a marketplace term used as counterpoint to “hardware,” the physical elements of computer systems. So ubiquitous is the term “software” that the redundant locution “software program” is sometimes used as a synonym for “computer program.” These linguistic changes signal the transformation of the computer program into an
290
ABBE MOWSHOWITZ
information commodity. The computer program is an intangible artifact embodying the control information needed to direct a computer’s performance. Software is an information commodity whose kernel is a computer program. Software development and maintenance have for some time now accounted for a greater proportion of computer system costs than hardware (Boehm, 1981). This shift in the relative costs of hardware and software testifies to the emergence of a huge market for software. The size of this market is corroborated by sales figures. Worldwide software sales among the top 100 firms in the information system industry accounted for 11.5% of their total 1991 revenues of $290 billion (Marion, 1992). The commoditization of computer programs is a natural consequence of the evolution of computer systems and applications. Developments in operating systems and high-level programming languages for mainframe computers in the early days of computing gave programming some independence from the machine. As certain operating systems became de facto industry standards and programming languages such as COBOL and FORTRAN gained prominence in commercial applications, a market for utility and applications programs began to emerge. This market was greatly expanded by the advent of minicomputers, which placed computing resources within the reach of small and medium-sized, as well as large, businesses. The innovations introduced by successive generations of programming languages made it feasible to create commercially viable programs for a variety of business applications. A mass market for computer programs has arisen with the personal computer and the work station. In a little over a decade, the personal computer has been transformed into something like a household appliance. More than thirty million of these machines have found their way into homes and businesses in the United States. The production of software for these millions of machines has become a major industry. The adoption of Microsoft’s DOS as the standard operating system for the IBM PC created a huge market for application software, especially in the office. In particular, word processing, spreadsheet graphics, and database packages have been developed in response to specific office needs. The introduction of a more powerful standard operating system will provide yet further impetus for the creation of new office software. The commoditization of computer programs provides a convincing example of the need to distinguish between information and information commodities. Despite the indisputable fact that use does not destroy the “content” of a software package, and that such packages are easily copied, commercial empires have been built and vast fortunes accumulated through the manufacture and sale of software. The software package or information
INFORMATION AS A COMMODITY
29 1
commodity is not identical to its kernel. Recall that a commodity is an economic good that can be valued and owned. The valuation of software is not very different from the valuation of machines. Ownership, by contrast, does pose problems because of the ease of copying and the difficulty of enforcing laws (e.g., those applicable to copyrights, patents, and trade secrets) designed to protect proprietary rights in software. If a software package were equivalent to its kernel, there would be no software industry. Software producers have overcome the commercial liabilities of ease of reproduction by building obsolescence into their products, and it is the commodity, not the information it furnishes, that can become obsolete. The evolution of the market for personal computers bears some resemblance to the diffusion of the telephone. Like the telephone, the personal computer began life as a business instrument. From the opening of the first commercial exchange in 1878, it took about half a century for the telephone to achieve a penetration level of one-third of the household market in the United States. After World War 11, the diffusion of the telephone quickened, reaching nearly 90% penetration a couple of decades later. The personal computer appears to be where the telephone was at the end of World War 11-poised for rapid diffusion in the household market. If the analogy holds, and if the market history of the personal computer is taken to include the whole commercial life of the computer, it could be expected that a 90% penetration will be reached early in the next century. The role of the personal computer as a network access device reinforces the analogy with the telephone. As network infrastructure and services are elaborated, the demand for personal computers and software will grow.
7 . Using Information Commodities20 7.1
User as Producer: Derived versus Final Demand
In assessing the value of an information commodity to a user it is essential to distinguish two different cases. In one case, the commodity is used to make something intended for sale, and the desire for the commodity is an example of derived demand. In the second case, the commodity is used as a consumer good, and the desire for the commodity exemplifies final demand. We are concerned here exclusively with the derived demand for information commodities, and are assuming that the potential buyer of an information commodity intends to use it to make a product or service that is to be offered for sale.” Thus, the process of determining the maximum price a user should pay for an information commodity reduces to determining how much the commodity in question will lessen production costs, or,
292
ABBE MOWSHOWITZ
more generally, increase the profits from the sale of the product or service.22For simplicity, the analysis of demand pricing is restricted to the effects of an information commodity on the cost of production.
7.2 Production Digraph Model Since price determination depends on the role of the information commodity in a production process, we need to model the process in a way that shows the effects of the commodity on the cost of production. We model a production process as a collection of interrelated tasks which can be represented in the form of a weighted structure, called here a production digraph. This digraph has the same form as that of the model introduced in Section 5.5 to compute the cost of producing an information commodity. Now we give a precise definition of the model.23 Let V, E, a, z, c, and w be defined as follows: V is a set of vertices or nodes E is a set of arcs or directed edges joining distinct pairs of nodes a is a unique node (source) of indegree zero z is a unique node (sink) of outdegree zero c is a function mapping V to the nonnegative reals w is a function mapping E to the nonnegative reals
Furthermore, let I(u) be the input of u (i.e., the sum of the weights of the edges directed to node u), and O(u) the output of u (i.e., the sum of the weights of the edges directed from node u). Then P = P(V, E , a, z, c, w) is a production digraph if the following two conditions are satisfied: (i) O(u) = c(u) + Z(u) for all nodes u in P, (ii) P is acyclic. The nodes of a production digraph represent subtasks in the production process. A directed edge from node a to node b signifies that, in order to perform its function, the subtask corresponding to node b requires input from the subtask corresponding to node a. Since we want to model a production process as an isolated system, we identify initiating and terminating subtasks. These subtasks are represented in the digraph by the source and sink, respectively. The function c assigns a weight to each node. This weight is the cost of the processing performed by the subtask on its inputs. Finally, the function w assigns a weight to each directed edge in the digraph. For an edge ab directed from a to b, w(ab) is that portion of the cost of the output of a that is allocated to 6.
INFORMATION AS A COMMODITY
293
Condition (i) may be interpreted to mean that the output of a node equals the input plus the value added by (or the processing cost of) the subtask corresponding to the node. Note that this condition implies O(a) = c(a), since a has no incoming edges; and I(z) = -c(z), since z has no outgoing edges. Condition (ii) is a simplifying assumption. The entire cost of a production process modeled by a production digraph is given by the input to the sink, i.e., the sum of the costs of the subtasks equals the input to the sink. This property of a production digraph is expressed in the following equation:24 I(z) =
1c(i). ifz
Production digraphs have the convenient property that edges incident to the sink z form a cutset dividing the digraph into two subdigraphs, one containing z alone, the other containing all the remaining nodes. This implies the following:
If T is a cutset of edges separating production digraph P into disjoint subdigraphs Q and R containing source a and sink z, respectively, then
c c(i) c Me) =
isQ
eeT
This property allows for an incremental approach to cost determination, inasmuch as the production digraph can be built in successive stages. Given production digraphs Q and R , we can replace (expand) a node u of Q by R to obtain a new production digraph P. This can be done in the following way: 1. Remove the node u of Q and redirect all the edges incident on u to the
source of R. 2. Redirect the edges incident from u so they are incident from the sink of R. 3. Adjust the costs and weights of the nodes and edges, respectively, of R to be consistent with condition (i) of the definition. There are two major steps in our approach to determining the cost of making a product or service: (a) Construction of the production digraph. (b) Determination of the costs of the subtasks (i.e., node costs), and establishment of the cost relations between subtasks (i.e., edge weightings).
294
ABBE MOWSHOWITZ
Each of these steps may call for considerable empirical investigation. The construction of the digraph entails identifying the tasks in the production process and determining the dependency relations between the tasks. The identification of the tasks is a far from obvious process, in that there are many ways to differentiate a set of complex activities. However, the process is not entirely arbitrary, since the production processes we are concerned with are typically executed within organizations that provide rules and procedures defining the boundaries between subsets of activities. In addition, the need to assign costs places further constraints on the designation of tasks within the model, as in the practices followed in accounting systems generally. Organizational procedures and accounting methods define a kind of giveand-take between the identification of tasks and the determination of task dependency relations. Suppose, for example, task T is tentatively identified as one of the components of a production process. If it turns out that T cannot be separated from task S within the organization, or that it is impossible to assign a cost to T independently of S , one might try merging T and S to form a new task. Ascertaining the costs to be assigned to the subtasks may be even harder than constructing the digraph.*’ Clearly, the production digraph model does not resolve cost accounting issues, such as ways of dealing with fixed as opposed to variable costs or direct versus indirect costs. Ideally, the organization responsible for the production process would have accounting categories corresponding to the tasks in the model. Unfortunately, this may not occur in practice. So, some collection of cost data for purposes of assigning values to the nodes occur and empirical research to determine appropriate edge weights may be required to complete the model. The digraph model provides a framework for the analysis of the cost effects of an information commodity on a production process. Once the digraph has been constructed and costs allocated, it is possible to investigate in a systematic fashion the effects of introducing an information commodity into the underlying production process.
7.3 Estimating Demand Price As explained earlier, the potential reduction in the cost of production that might result from the use of an information commodity can be taken as a rough estimate of the demand price for that commodity. That is to say, it is reasonable to expect a prospective buyer-who would use his purchase to create something else for sale-to calculate the maximum he is willing to pay for a commodity in terms of projected cost savings to be derived from its application in production. Thus, we turn now to the application of the
INFORMATION AS A COMMODITY
295
production digraph in analyzing ways in which an information commodity might be used in a production process so as to lower costs. An information commodity such as a computer, a piece of software, or a database may affect production in several different ways, four of which are described below.
Type 1. Processing within a subtask may be altered without establishing new connections or eliminating existing connections to other subtasks. Type 2. Connections between subtasks may be modified. Type 3. A subtask may be divided into two independent subtasks. Type 4. Two subtasks may be combined to form one subtask. Each of these changes resulting from the use of an information commodity has a well-defined effect on the digraph model of the production process. Type 1 changes in a node x are reflected only in modifications of the cost, c(x), of node x . This implies no change in either the set of arcs incident to x or the set incident from x . However, since the cost is altered, the output O(x) must be redistributed among arcs incident from x to other nodes, and all the other node and edge weights must be readjusted in accordance with the definition of a production digraph. Type 2 changes involve the elimination or addition of arcs to a production digraph. If an arc incident from a node x is eliminated, the entire output O(x)must be reallocated to the remaining arcs issuing from node x , and the weighting function w must be adjusted. If a new arc from node x to node y is added, again the output O(x) of x must be reallocated, and the function w adjusted. Type 3 changes are more complicated. These involve the elimination of an existing node together with all the arcs incident to it and from it, and the introduction of two new nodes together with arcs linking them to other nodes in the digraph. This is a major change requiring an updating of the set V of nodes and the set E of arcs as well as modification to both weighting functions c and w . Type 4 changes involve similar adjustments. When two nodes x and y are merged into x ’ , the arcs incident to either x or y will be incident to the new node x ‘ ; however, not all of the arcs incident from either x or y remain in the new digraph. In particular, arcs xz and y z are merged, and arcs xy and y x disappear. The merger of nodes x and y presumably results in a cost c(x’)< c(x) + c ( y ) .The output O(x ‘)must be reallocated to the arcs issuing from x’ and the weighting functions c and w , the node set V and arc set E must also be adjusted so as to yield a new production graph. An estimated upper bound on the demand price of an information commodity may be obtained by determining the change induced by the
296
ABBE MOWSHOWITZ
FIG.5. Catalogue preparation before commodity.
commodity in the total cost of production. This change is the difference,
Z(z) - Z(z’), where z and z’ are the sinks of the old and new production digraphs, respectively.
Example of Estimation Procedure. Consider a graphics design firm whose activities include the preparation of catalogues for various distributors. Suppose the firm is looking into the purchase of a multimedia editor that would allow for computer processing of images as well as text. To assess the prospective cost implications of using a multimedia editor in catalogue preparation, a model of the process is required. The production digraph of Fig. 5 depicts the current arrangement. Nodes correspond to the following subtasks: a: obtain list of items to be included in catalogue (source)
T I : obtain descriptions of items T2: obtain price information T 3: obtain drawings or photographs of items T4: compile descriptions and price information in word processing file T 5: design catalogue document T6: make mechanicals for reproduction of catalogue document T 7 : prepare pictures for the mechanicals T 8: place pictures in the mechanicals z: terminate production process (sink)
The edges in the digraph represent dependence relations. This means, for example, that in designing the catalogue document (T5)use is made of the word processing file ( T4 ) and of pictures of the catalogue items ( T l ) . Unlike the edges in PERT or CPM networks, the presence of an edge xy in a production digraph does not necessarily imply that subtask x must be completed before task y. So some of the design work ( T 5 )may occur before
INFORMATION AS A COMMODITY
297
all the price information ( T 3 ) has been obtained. The digraph captures dependencies that reflects cost relations, e.g., the total output from T5 includes the cost of the inputs from T1 and T 4 , as well as the cost incurred in processing at T 5 . Note that the total cost of preparing the catalogue is the weight of the edge from T8 to the sink. Now let us consider the potential impact of a multimedia editor on the catalogue preparation process. Such an editor would allow for combining image and text processing, thus making it possible to streamline production. In particular, subtasks T5 (design of catalogue document) and T 6 (making mechanicals for reproduction of catalogue document) could be merged together. The digraph of Fig. 6 shows one possible way of rearranging the entire process. The nodes in this modified digraph correspond to subtasks as follows:
a ’ : obtain list of items to be included in catalogue (source) U1: obtain descriptions of items U2: obtain price information U3: obtain drawings or photographs of items U4: compile descriptions, price information and pictures in multimedia database US: design catalogue document U6: make mechanicals for reproduction of catalogue document z ‘ : terminate production process (sink) Subtasks associated with nodes a’, U1, U 2 , and U 3 correspond to those associated with nodes a, T1, T 2 , and T 3 , respectively, in the original production process. With the multimedia editor, the pictures can be processed with the text, so there is no longer any need to prepare the pictures separately for the mechanicals.
FIG. 6. Catalogue preparation after commodity.
298
ABBE MOWSHOWITZ
As this example shows, the digraph representation facilitates identification of the subtasks likely to be affected by a new production aid. But, what is more important, the model provides a means of analyzing possible changes in the interrelations between affected subtasks. That is, the digraph model is a vehicle for analyzing the impact of structural changes in the production process. Moreover, the same production digraph may be used to investigate the impact of many different types of information commodities on the production process. A realistic appraisal of the cost effects of the multimedia editor requires detailed accounting data on the original production process, and good estimates of the costs in the modified process, especially for subtasks associated with nodes U4, US, and U6. Assuming that the data can be obtained, and that it is possible to estimate the operational costs of the new hardware (e.g., CD/ROM drive) and software, the remainder of the appraisal exercise is purely mechanical. The change in the cost of the production process induced by the multimedia editor is given by:
w ( T 8 , ~-) w ( U 6 , ~ ' ) . This difference provides an estimate of the upper bound on the demand price of a multimedia editor. A manager could use it as a guide in deciding how much to pay for such an information commodity.
7.4
Determining Cost Reduction Possibilities
Since the total cost of a process whose structure corresponds to a fixed production digraph is the sum of the costs of the nodes, the only way of reducing the total cost is to lower the cost of one or more of the nodes. Suppose, for the sake of illustration, that in the original catalogue production process subtask T 8 is performed by the person-a skilled photographer-who does T 7 . The cost of T8 could, perhaps, be lowered if a less skilled person were hired to do the job. Similar considerations could be applied to all the nodes in the production digraph. Any decrease in the weight of an edge in a production digraph must be compensated by a corresponding increase, in order not to violate the conditions of the model's definition. This means that edge weights cannot be manipulated independently to lower costs. However, these weights serve as pointers to cost reduction possibilities at the nodes. Again, consider the example of catalogue preparation. Note that the output of T5 (designing catalogue document) is passed partly to T 6 (making mechanicals for reproduction of catalogue document) and partly to T7 (preparing pictures for the mechanicals). These two allocations are w(T5.7'6) and w(T5, T 7 ) , respectively. I f one of these weights, say w(T5,T7), accounts for a very
INFORMATION A S A COMMODITY
299
high percentage of the output, the cost reduction process should focus on that part of the processing at T5 on which T7 depends. There is also an indirect way of lowering cost, namely, by restructuring the production process or modifying the underlying production digraph. Modifying the structure means adding or deleting edges (i.e., altering the dependencies between the nodes), or adding or deleting nodes. Such changes may result from a reorganization of a process using the existing resources, or from the introduction of new resources. The latter is illustrated by the introduction of a multimedia editor in the case of catalogue preparation. Referring to the labels used for the original digraph, the use of a multimedia editor leads to the elimination of two nodes (7‘7and T 8 ) and the edge ( T I , TS), and the addition of a new edge ( T I ,T 4 ) . This restructuring is, of course, intended to lower the total production cost. Since there is essentially no change in nodes a and TILT3, the cost would be reduced if c(U4)
+ c(U5) + c(U6) < c(T4) + c(T5) + c(T6) + c(T7) + c(T8).
The formal properties of the production digraph enable us to explore the cost reduction possibilities in a systematic way. In particular, the digraph can be decomposed into several subdigraphs, which can be examined independently of each other, thus simplifying the search for ways of reducing costs. For details of one such decomposition procedure see Mowshowitz ( 1 992c).
7.5 Applications The production digraph model has been used by Bellin (1991) to analyze the impact of CASE (computer-aided software engineering) tools on the cost of software development. In his analysis, the CASE tool is treated as an information commodity that might be purchased by an organization for use in its software development work. Production digraph models of the software development process with and without CASE tools were built. The impact of CASE tools on software development was investigated by comparing the two models and using the non-CASE-tool digraph as an instrument for determining cost reduction possibilities through the introduction of such tools. Bellin constructed a generic production digraph representation of the software development process based primarily on the “waterfall” model of the software development life cycle (SDLC). This generic representation was then refined and particularized through case studies of five large software-development organizations.” Three instantiations of the model were generated corresponding to groups of organizations which ( 1 ) use
300
ABBE MOWSHOWITZ
neither structured programming methodologies nor CASE tools, (2) use structured methodologies but no CASE tools, or (3) use CASE tools and are familiar with structured methodologies. The production digraph for the first group consists of about 10 nodes; the digraphs for the second and third groups each have over 50 nodes. Costs of development subtasks were estimated as percentages of the total project costs. A comparison of the production digraph models constructed for groups 2 and 3 revealed decreased costs for several development subtasks associated with the use of CASE tools. According to Bellin (1991), these subtasks include graphic process modeling; information modeling (including data dictionary access); prototyping, screens, and reports; and coding. This identification of cost-saving aspects accords well with programmers’ perceptions of the most productivity-enhancing elements of CASE tools.27 The comparison also revealed an interesting structural change connected with the introduction of CASE tools, namely, a decrease in the number of nodes corresponding to coding subtasks. The production digraph model may also be used to search for cost reduction possibilities. As explained in the preceding section, one way of reducing the cost of production is to lower the cost of each of the nodes. But first it is necessary to identify suitable candidates, i.e., nodes corresponding to subtasks that could be modified-in this instance, by the introduction of CASE tools-so as to lower their costs. Examination of the model corresponding to group 2 organizations-those using structured methodologies but no CASE tools-revealed several groups of candidate nodes, including graphic process modeling; data dictionary usage; structure charts; programming; reusable code usage; information modeling; and testing, quality assurance (Bellin, 1991, p. 112). Again, this identification of groups of subtasks is in line with the results of surveys of programmer analysts’ perceptions of how productivity could be improved. At the time of writing, two additional applications of the production digraph model are underway. One is a study of a class of knowledge-based systems in their respective production environments.” Knowledge-based systems are treated as information commodities whose cost effects can be determined by the changes they induce in a given process, as represented by a production digraph. A major objective of this research is to link properties of knowledge-based systems to cost-sensitive changes in production processes. The second application is a study of the cost effects of computer-aided design (CAD) systems in the concrete construction indu~try.’~ CAD systems are viewed as information commodities whose use in design promises to lower the total cost of making concrete buildings. Detailed, productiondigraph models of the design phase of the concrete construction process-
INFORMATION AS A COMMODITY
301
with and without CAD systems-have been developed, and cost estimates of the various subtasks have been obtained from engineering firms. This research aims to lay a foundation for quantitative analysis of the impact of information commodities on costs in the concrete construction industry.
8. Competition and Regulation The rapid expansion of the market for information commodities has stimulated new rivalries and alliances, and has created new regulatory challenges. Telephone companies vie with newspapers and publishers in the information services arena. In the United States, cable operators gear up to do battle with regional telephone companies over the distribution of video entertainment to the home. Movie studios and electronic equipment makers cooperate in the promotion of interactive, entertainment products. Retailers and computer manufacturers join forces to create information services networks. In this climate of ferment and change, regulators are called upon to balance the interests of competing actors, to encourage growth and to secure the public good. A comprehensive treatment of these complex issues is beyond the scope of this paper.30 Our aim here is simply to call attention to the principal participants and their respective roles and interests in the evolving information marketplace. These participants influence the conditions under which the marketplace operates, and thus warrant attention in a review of the factors affecting the value of information commodities.
8.1 Stakeholders Stakeholders may be viewed as direct participants in the information marketplace. These include producers, vendors, carriers, and business and professional users of information commodities. Each of these classes is described briefly below. The information marketplace impinges on many other groups, some of which (like the workers whose jobs are at stake) will be treated in the context of interest groups (Section 8.2).
8.1.1 Commodity Producers Producers turn artifacts that furnish information into products and services. The kernel of an information commodity may or may not be created by the producer. A software company marketing a package written by its own programmers is both producer and creator. On-line vendors offering databases obtained from government agencies are producers but not creators.
302
ABBE MOWSHOWITZ
The definition of information as some sort of ability calls attention to its nonmaterial character. Viewed in this way, information is clearly not identical to the things that are said to “contain” or “furnish” information. Books, databases, and computer programs, for example, are not in and of themselves information-they are material objects or artifacts that furnish information. To distinguish between the various stakeholders, it is useful to recall our earlier discussion (Section 3.2.2) of an information commodity as an artifact which contains-in the sense of furnishing-information. Containers, as well as information, come in many different shapes and sizes with rather different commercial prospects. A bibliography on file cards is less marketable than one in computer-sensible form. Often, information is created in relatively nonmarketable containers. This gives rise to a common division of labor between creators and producers: the producer transforms the creator’s information artifact into a marketable commodity.
8.7.2 Commodity Vendors Vendors sell information products and services. Some produce the commodities they sell. Others simply distribute commodities produced by others. A producer who is also a vendor is comparable to a traditional manufacturing company. Computer makers like IBM, Apple, and DEC are, in some cases, creator, producer, and vendor all rolled into one. Each of these companies creates information (e.g., programs for microcomputers), transforms it into commodities (e.g., flexible disks containing software), and sells these commodities directly to users as well as to distributors.
8. 7.3 Commodity Carriers Carriers furnish the means for delivering information commodities to the customer. They are of two kinds: transporters of physical goods, and telecommunications providers. The former includes postal services as well as freight companies (railroad, steamship, airline, and trucking). Telecommunications providers embrace both public switched facilities (such as local and long-distance telephone companies, and computer networks) as well as intraorganizational and interorganizational (e.g., SWIFT, Teleport New York) private networks.
8.7.4 Business and Professional Users The general consumer-someone who subscribes to a home banking or Videotext service-has an interest in the information marketplace, but is
INFORMATION AS A COMMODITY
303
not a stakeholder. Thus the user class of stakeholders is taken here to consist of businesses, professionals, and managers. The list of users is practically endless. Professionals include lawyers using legal databases and word processors; physicians using medical databases, specialized diagnostic programs, and accounting software; dentists using billing programs; accountants using specialized tax and estate-planning software; etc. Almost all the professional and managerial entries in the Standard Occupational Classification could be counted as users. Information-related businesses (e.g., financial services, insurance, education, advertising, credit reporting, etc.) are perhaps the heaviest business users of information commodities, but the manufacturing, agricultural, mining and extractive and resource industries are not far behind.
8.1.5 Other Stakeholders In addition to those directly involved in the creation, production, sale, and carriage of information commodities are the venture capitalists, investors, bankers, insurers and others who provide funds for development and underwrite risk. These stakeholders are playing an especially important role in the creation of the infrastructure needed to support network distribution of information commodities.
8.2 Interest Groups 8.2.1 Industry Associations Every major segment of the information industry has an association to promote its interests. In the United States, traditional publishers have the Publishing Industry Association; on-line vendors are represented by the Information Industry Association (IIA); computer and equipment makers have the Computer and Business Equipment Manufacturers Association (CBEMA); software producers are represented by the Association of Data Processing Service Organizations (ADAPSO). Comparable associations exist in other countries as well, but a complete catalogue is beyond the scope of this paper. Each of these associations has a complex set of interests to promote and defend. ADAPSO, for example, has been waging a campaign to reduce unauthorized copying of software. The IIA tries to persuade lawmakers and the public that government has no business in the information marketplace. A comprehensive account of these associations, their respective mandates, activities, modes of operation, and record of success would constitute a significant contribution to an assessment of the information marketplace.
304
ABBE MOWSHOWITZ
8.2.2 Public Information Providers The industry associations may differ on precisely how the information marketplace “pie” should be divided, but all agree that the pie should be divided among the stakeholders they collectively represent. There is, of course, nothing peculiar about this shared conviction in a market economy. The reason for stating the obvious is to place dissenting interest groups in proper perspective. These groups do not reject the idea of the market economy; they simply differ with the industry associations about government’s role in the marketplace. There are several groups, government agencies, and institutions that have a stake in government-supported or subsidized distribution of information to the public. They share the view of the American Library Association (ALA). The ALA argues that information created or produced with government funds should be accessible to everyone on an equitable basis; that is, the ability to pay should not be a criterion for access to information that has been generated by government. The ALA and related groups are concerned with only one type of information commodity-discrete packages (e.g., books, reports, and databases). There do not appear to be comparable groups promoting equitable public access to the software or computer-based resources generated by government.
8.2.3 Consumer Groups Consumers have a great deal at stake in the information marketplace. Information commodities have an impact on all areas of contemporary life. Liability for faulty information products and services is an important consumer issue. Suppose, for example, a flawed home-banking system results in a debit that cannot be traced; or faulty software in an energy-use monitoring system keeps everything running full blast while the occupants of the house are away for a month. Who pays? Product liability issues are not new, but they are especially complicated in the information commodity arena because there is often a long chain of actors between producer and consumer. Privacy is another issue that has been addressed from the consumer’s point of view. Since the 1960s, computerized personal record systems have been a lightening rod for misgivings about computer applications in general. The privacy discussion has centered on “fair information practice”: ensuring due process in the recording and dissemination of personal information, especially in the areas of credit reporting and gate-keeping operations of both private and public agencies (Rule et al., 1980). With the advance of
INFORMATION AS A COMMODITY
305
information technology and the spread of personal record systems, new challenges to privacy have arisen. For example, file matching has become economically feasible and is often used to verify information or to detect fraud (Marx and Reichman, 1984). In addition, computer-based monitoring of employee performance is now common practice in the workplace (US. Congress, 1987). More recently, attention has been directed to the rights that consumers may have in controlling the collection and circulation of personal data destined for commercial exploitation (e.g., in advertising and marketing) (Mosco and Waskow, 1988; Gandy, 1993). The widespread use of computers at the point-of-sale or point-of-service facilitates the capture of personal data available in transactions. Some observers have argued that consumers should share in the profits generated by commodities that furnish information about their buying habits and other personal characteristics.
8.2.4 Organized Labor Whatever its promise for the future, the externalization of information and knowledge attendant upon the formation of information commodities alters the character of work and displaces human labor. Unions, thus, have a stake in the information marketplace. Union membership as a percentage of the labor force has declined steadily in the postwar period, from a peak of 35.5% in 1945 to 16.1% in 1990 (Hoffman, 1991). The shift in the economy from industrial to service employment evidently has not been accompanied by a proportionate increase in unionized service workers. Relatively low growth rates coupled with fragmentation requiring a major allocation of resources to collective bargaining have left unions with little time to devote to strategic issues. This may account for the apparent lack of a coherent union strategy to deal with the impact of the information marketplace on employment.
8.3 Regulation and Standard-Setting Given the multiplicity of relevant organizations and the complexity of the technical issues, we cannot do anything more here than present a general discussion of the actors and sketch the major issues.
8.3.1 Regulation Regulation of the information marketplace involves three broad types of intervention: (1) allocation of scarce or valuable public resources, (2) the need to ensure healthy and fair marketplaces, and (3) protection of the
306
ABBE MOWSHOWITZ
interest of consumers and citizens. The main actors in the United States are Federal and state agencies, and the Federal judiciary. Local governments also play a role and some may assume greater importance inasmuch as the information infrastructure has become concentrated in several major metropolitan centers. Government offices are veritable lodes of information just waiting to be mined for valuable ore. This fact has long been known to some, and many companies have been busy in this area. As more entrepreneurs have come to recognize the commercial potential of government information, some sort of mechanism for allocating the rights to distribute this information will probably be needed. The treatment of mineral rights on public lands is probably more relevant to this problem that the allocation of frequency bands in the electromagnetic spectrum. The second type of intervention-the need to ensure healthy and fair marketplaces-is likely to emanate from several different sources. One example is the need to promote the capacity for technical innovation. Many factors influence invention and change, but not all are amenable to government manipulation. One factor that can be influenced is firm size, and presumably this is one of the reasons for the existence of the Small Business Administration. If it can be shown (as some would argue) that small firms produce a disproportionate share of innovations in the information field, this would indicate that policy ought to be directed to encourage small firms to enter the market (Brock, 1975). Promotion of fair and fruitful competition is another goal of regulatory action. A decision (July 1992) of the U.S. Federal Communications Commission permitting telephone companies to transmit TV and movies over telephone lines is a particularly important illustration (Weber and Coy, 1992). This decision has already triggered intense activity among cable operators and telephone companies. Video entertainment distributed to the home by means of network facilities may very well provide the foundation for a mass market in network-based products and services. Issues relating to consumer interests were discussed in Section 8.2.3 above.
8.3.2 StandardP The adoption of standards is essential to the growth of the information marketplace. But the process of establishing standards is fraught with political as well as technical difficulties. Political difficulties are associated with the clash of vested interests in particular standards. Sometimes different companies in the same industry lobby for their respective standards; at other times companies in different industries compete with one another.
INFORMATION AS A COMMODITY
307
On the technical side, differences of opinion arise over the “best” way to do something even when no direct financial interest is at stake. Moreover, much of the negotiation over standards takes place in the international arena. Small wonder that progress on standards is often laborious and slow. Standards for telecommunications and computer networks are particularly important in the information marketplace. This is so because these networks will be the principal carriers of the information commodities of the future. An example of such commodities are systems for the electronic exchange of business forms (purchase orders, invoices, payment orders, etc.). This type of computer-to-computer exchange of information has been referred to as electronic data interchange (EDI). Standards for ED1 enable the computers of the different parties to a transaction to interpret the information they receive appropriately. Considerable progress has been made in developing ED1 standards for specific business forms in different industries (Sokol, 1989). The American National Standards Institute chartered a committee in 1979 to develop uniform standards for interindustry EDI, and an international body, the United Nations Electronic Data Interchange for Administration, Commerce, and Transport (UN/ EDIFACT), came into being in 1986. An aid to navigation in the maze of standards making is the Open Systems Interconnection (OSI) reference model of the International Organization for Standardization (ISO). This model serves as a kind of lingua franca among network designers, making it possible to relate a standard to a network function in one of the seven layers of the OSI model. The following sketches of some of the key players in the standards arena are drawn mainly from Stallings (1985). IS0 is a voluntary, nontreaty organization. Each participating nation and observer organization (with nonvoting status) designates a standards body to serve as member. The standards work of the organization is conducted by technical committees. The committee concerned with information systems is TC97. This group developed the OSI reference model and is now working on protocol standards at various layers in the model. The International Telegraph and Telephone Consultative Committee (CCITT) is a United Nations treaty organization consisting mainly of the post, telegraph, and telephone (PTT) authorities of its member countries. The United States is represented by the Department of State. CCITT is concerned with a broad range of communication problems, and works closely with ISO. In the United States, the principal actors include the American National Standards Institute (ANSI), the National Institute of Standards and Technology (NIST, formerly the National Bureau of Standards, or NBS), the Federal Telecommunications Standards Committee (FTSC), the Defense
308
ABBE MOWSHOWITZ
Communications Agency (DCA), the Electronics Industry Asscociation (EIA), and the Institute of Electrical and Electronics Engineers (IEEE). ANSI is a private, nonprofit federation of standards organizations and does not itself develop standards. The federation is strongly supported by trade associations, and its membership includes manufacturers, users, communications carriers, and others. ANSI is a kind of self-appointed representative of the United States in ISO, but a number of American standards organizations bypass ANSI in dealing with other national bodies. Acting as a central clearing house and coordinating body for its member organizations, ANSI’s mandate parallels that of ISO. NIST is attached to the Department of Commerce. It issues Federal Information Processing Standards for equipment sold to the federal government, not necessarily including the Department of Defense. NBS standards interests include those of both IS0 and CCITT. The agency attempts, whenever feasible, to adopt standards in accord with international conventions. FTSC has responsibilities that partially overlap those of NIST. Like NIST, this interagency advisory board of the federal government is responsible for establishing standards for federal procurements. Its aim is to assure interoperability of government-owned communications equipment. DCA is the Defense Department’s own version of NIST and FTSC. It is charged with issuing communications-related military standards. EIA is a trade association representing electronics firms. As a member of ANSI, it is concerned primarily with standards for information transmission, the physical layer of the OSI model. IEEE, also a member of ANSI, is a professional society whose standards interests focus on the physical and data link layers of the OSI model. The collective interest of all the participants in standards-making lies in: (1) assuring large potential markets for particular pieces of equipment or software; and (2) allowing products from many different vendors to communicate, thereby increasing purchasers’ flexibility in the selection and use of equipment. However, individual interest does not always coincide with collective interest. An equipment vendor with a large installed base is not likely to support a standard that would force them to make major modifications in product design-not without a quid pro quo, that is. Standardization plays a dual role in the growth of the market for information commodities. On the one hand, its role is the familiar one just mentioned, Le., facilitating economies of scale, interchangeability of parts, interoperability of components, etc. But it also has a less familiar role which stems from the fundamental character of information commodities. Recall that these commodities result from the commercialization of information artifacts. The removal and separation of information from the human
INFORMATION AS A COMMODITY
309
being, and its subsequent embedding in artifacts which can be traded in the marketplace, underwrites a newfound flexibility in the organization of activities. Increasingly, control and decision-making are obtained through artifacts rather than human beings. This signals diminished dependence on human actors and a decoupling of functions. For example, if a machinist is needed to make a part, there is no way to implement the part-making “program” without the person. By contrast, if a machine tool is driven by a programmable controller, the program used in the controller can be obtained quite independently of the machine operator-from someone else in the same organization, or from an outside vendor. Naturally, there is a price to be paid-increased transaction and management costs. T o reap the advantages of the newfound flexibility, standards are required to minimize these transaction and management costs.
8.4 Politics of Regulation There are two fairly natural ways of treating the politics of regulation. One is to classify by stakeholders. Such a scheme might have the following categories: 0
0
0 0
Media Broadcast (subdivided by delivery system) Publishing (books, newspapers, etc.) Other (including cinema) Carriers Common (local, long-distance) Value-added Equipment vendors Product and service providers
Organizing by stakeholders has the virtue of highlighting the market as a moving target; by emphasizing the makers and purveyors of information commodities, innovations in the marketplace are placed in sharp focus. An alterntive taxonomy is by regulatory issues. For example: 0 0 0
0 0
0
Spectrum allocation Protection of intellectual property Liability, security, and privacy Antitrust Fiscal and monetary policy Tariffs and trade agreements
310
ABBE MOWSHOWITZ
This scheme emphasizes the legal and regulatory apparatus, which has evolved primarily in response to delivery systems. These approaches are complementary rather than antagonistic. The stakeholder approach provides a technical-economic focus; the issuesapproach fosters a political-legal perspective. A marriage of the two would provide a solid, conceptual foundation for crafting a public-private partnership in the information marketplace.
9. Conclusion We began the discussion by observing that the information marketplace is evolving in response to the displacement of information, knowledge, or skills from human beings to artifacts. Triggered by advances in computers and telecommunications, this displacement process is gaining momentum with the integration of these technologies. Computer-based communications networks will soon reach virtually every organization and person in the industrialized world. Such networks will stimulate an explosive growth in the production and use of information commodities, and support a global marketplace of gigantic proportions. This by way of establishing significance, but also to justify the treatment accorded our subject. The information commodity is the appropriate unit of analysis in the evolving marketplace, because commoditization and networking feed on each other. Each new commodity contributes to the supply of products and services to be offered, thus strengthening the appeal of network access to potential customers; conversely, as the reach of the networks increases, it becomes attractive to expand the supply of products and services, and, thus, to stimulate the creation of more information commodities. Clearly, the centrality of information commodities in this symbiotic relationship between commoditization and networking warrants the development of a general theory of these commodities. This paper is intended as a step in that direction. ACKNOWLEDOMENTS The author is grateful to professor C. C. Gotlieb (University of Toronto), Professor K. Ivanov (University of Umea), Mr. B. van Wegen (University of Amsterdam), and Dr. R. A. Chandansingh(Delft University of Technology) for helpful comments on a draft of this paper.
Endnotes
’ See Kochen (1984) for a review of developments in the conceptualizationof information. Various attempts have been made to extend the entropy measure so as to take account of significance or value as well as uncertainty. See Hayes (1993) for a a discussion of “weighted entropy” and related notions.
INFORMATION AS A COMMODITY
31 1
Hayes (1993) proposes a hierarchical series of information measures corresponding to four levels in the processing of data. Level one involves uncertainty, and is captured by Shannon’s entropy measure. The next three levels, which differentiate what we call structural aspects of information, are termed syntactic, semantic and data reduction, respectively. Compare this definition with the following ones by Hirshleifer and Arrow, respectively. “Information . . . consists of events tending to change [individuals’ subjective] probability distributions [over possible states of the world]” (Hirshleifer, 1973). “Intuitively, a change in information is a change in the probability distribution of states of the world” (Arrow, 1979). Both of these definitions relate changes in information to changes in the probabilities assigned by some agent to states of the world. Such changes imply modifications in the disposition or the ability of an agent to act. Churchman (1971, p. 10) adopts this view explicitly in defining knowledge as “an ability of some person to do something correctly.” See Winograd (1975) for a discussion of the relationship between declarative and procedural forms of knowledge representation. See Mowshowitz (1992a) for details of the definition. See Boulding (1966), Hall (1981), Braunstein (1981), and Cleveland (1982) for further discussion of the special economic characteristics of information. As Braunstein (1981, p. 11) puts it: “I cannot be certain of the value to me of a bit of information until I know what it is. In fact, I cannot make an accurate judgment on the basis of part of the information or on information about the information. And if I did have perfect information about what was being offered for sale, I would no longer need to purchase it.” Sections 5.1-5.3 and 5.5 are based on Mowshowitz (1992b). lo Compare with Rouse’s (1986) discussion of the value of information in a decision-support system. ” Taylor (1982a, p. 342) distinguishes between the “content of the message” and the “service that provides the message”; Taylor (1982b, p. 310), between content and “the message packages and the technology and systems used to generate, store, organize, present, and move these packages.” For further discussion of the value of information, see Griffiths (1982), Duncan (1985), and Rep0 (1986, 1989). I3 Generally speaking, this formulation of an information commodity has much in common with Taylor’s view of an information system as “a series of formal processes by which the potential usefulness of specific input messages being processed is enhanced” (Taylor, 1982a, p. 341). l4 The insightful model of value-added processes developed by Taylor (1986) identifies, in our terms, some of the specific contributions of the kernel to the value of an information commodity. Taylor elaborates upon 23 value-adding features of information systems grouped according to six categories of “user criteria of choice” (Taylor, 1986, chapter 4). The importance of this feature of the kernel is illustrated in Bradford and Kelejian (1978). The authors estimate the value added to an information system by improvements in the quality of information used to construct crop forecasts. This discussion is based on the author’s limited experience as a consultant in the banking industry. The products described may very well be dated, but our aim here is to illustrate the model, not to present an overview of electronic banking. Generic, rather than proprietary, names are used in the text, since many banks have offered the kinds of products described. l7 In principle, this analysis of pricing takes account of direct and indirect costs associated with the development or production of a given information commodity. However, in practice there may be difficulties in determining the costs, as occurs, for example, in allocating production or development costs to the members of a family of related products.
‘
’
31 2
ABBE MOWSHOWITZ
The same type of graph structure, which we have called a “production digraph,” is used to analyze the demand price of an information commodity. Properties of this class of graphs will be examined in Section 7.2. This overview is based on discussions with corporate executives and data processing and telecommunications managers, as well as published literature. Sections 7.1-7.4 are based on Mowshowitz (1992~). ” This is less restrictive than appears at first glance. The use to which a consumer puts a commodity could be modelled as an imaginary production process. If the consumer were able to assign (possibly subjective) costs or weights to the various activities represented in the model, the approach taken here would be applicable to final demand too. 22 Here production refers t o the activities of a firm or subdivision thereof. We are not looking at the production of an industry or a sector of the economy. In other words, we are studying production at the micro-level rather than macro-level. Thus, our analysis is quite different from the work of Braunstein et al. (1980), Hayes and Erickson (1982), and Braunstein (1985, 1987). Whereas studies of production at the macro-level are properly concerned with production functions, investigation at the micro-level calls for analysis of the structure of production processes. For further discussion of production function models, see Hays and Borko (1983). The distinction between macro- and micro-level analysis holds in particular for cost-benefit studies. For example, Mason and Sassone (1978) present a cost-benefit model of information services. Their model quantifies costs and benefits in terms of properties of information services in general. Our model examines the effect of information commodities (such as the information services studied by Mason and Sassone) on the specific production processes in which those commodities might be used. 23 For definitions of graph-theoretic terms, see Harary (1969). For a proof of this equation, see Mowshowitz (1992~). The costing requirements of the production digraph model appear to be most closely met by Activity Based Costing, an approach which has been gaining ground in recent years. For an exposition of this accounting method, see Cooper (1988). 26 The numbers of software specialists engaged in development work in these organizations were approximately 20, 60, 150, 450, and 1O00, respectively (Bellin, 1991). Bellin (1991) citing the work of Norman (1987). PhD research of Bert van Wegen, Department of Social Science Informatics, University of Amsterdam. 29 PhD research of Reynold A. Chandansingh, Faculty of Civil Engineering, Delft University of Technology and Department of Social Science Informatics, University of Amsterdam. ’O The issue of intellectual property rights, e.g., copyright, patent and trade secret mechanisms for the protection of information commodities, is a major omission in this discussion. For extensive coverage of this topic, see the reports prepared by the Office of Technology Assessment (U.S. Congress, 1986, 1990). 3 L For a detailed review of standards issues, see the report prepared by the Office of Technology Assessment (U.S.Congress, 1992).
’’
’’ ’*
References Arrow, K. J. (1962). Economic welfare and the allocation of resources for invention. In: Economics of information and knowledge (D. M. Lamberton, ed.), Penguin Books, Harmondsworth, England, pp. 141-59.
INFORMATION AS A COMMODITY
31 3
Arrow, K. J. (1979). The economics of information. In: The computer age (M. Dertouzos and J. Moses, eds.), MIT Press, Cambridge, MA, pp. 306-17. Ash, R. (1965). Information theory. John Wiley & Sons, New York. Attneave, F. (1959). Applications of information theory to psychology. Holt, New York. Baer, W. S. (1985). Information technology comes home. TelecommunicationPolicy 9, 3-22. Bellin, D. (1991). Information commodities and the production process: how the introduction of CASE tools crffects the software development rife cycle (Phd Dissertation), The City University of New York. Boehm, B. W. (1981). Software engineering economics. Prentice-Hall, Englewood Cliffs, NJ. Boulding, K. E. (1966). The economics of knowledge and the knowledge of economics. Amer. Econ. Rev. 56(2), 1-13. Bradford, D. F. and Kelejian, H. H. (1978). The value of information for crop forecasting with Bayesian speculators: theory and empirical results. Bell J. Econ. 9, 123-44. Braunstein, Y. M. (1981). Information as a commodity: public policy issues and recent research. In: Information Services: Economics. Management, and Technology (R. M. Mason and J. E. Creps, eds.), Westview Press, Boulder, CO, pp. 9-22. Braunstein, Y. M. (1985). Information as a factor of production: substitutability and productivity. The Information Society 3, 261-73. Braunstein, Y. M. (1987). Information inputs and outputs in firms and quasi-firms. In: The cost of thinking: Information economics of ten pacific countries (M. Jussawala, ed.), Ablex Publishing, Norwood, NJ, pp. 71-80. Braunstein, Y. M., Baumol, W. J., and Mansfield, E. (1980). The economics of R&D. TIMS Studies in the Management Sciences 15, 19-32. Brillouin, L. (1962). Science and information theory. Academic Press, New York. Brock, G. W. (1975). The U.S.computer industry. Ballinger, Cambridge, MA. Burns, C. and Martin, P. A. (1985). Theeconomicsof information. Background Paper, Office of Technology Assessment, U.S. Congress, Washington, DC. Bush, V. (1945). As we may think. Atlantic Monthly 176 (July 1945), 101-8. Cherry, C. (1985). The age of access: Information technology and social revolution. (William Edmonson, editor). Longwood Publishing Group, London. Churchman, C . W. (1971). The design of inquiring systems: Basic concepts of systems and organization. Basic Books, New York. Cleveland, H. (1982). Information as a resource. Futurist 3-4, 34-9. Cohen, Joel (1962). Information theory and music. Behav. Sci. 7, 137-63. Cooper, R. (1988). The rise of activity-based costing. Part I: What is an activity-based cost system? J. Cost Management for the Manufacturing Industry 2, 45-54. Dockx, S . and Bernays, P., eds. (1965). Information and prediction in science. Academic Press, New York. Duncan, J. (1985). The worth and value of information. Paper presented at American Federation of Information Processing Societies Annual Meeting, Nov. 14, 1985. Candy, 0. H., Jr. (1993). The panoptic sort: A political economy of personal information. Westview Press, Boulder, CO. Gotlieb, C. C. (1985). The economics of computers. Prentice-Hall, Englewood Cliffs, NJ. Griffiths, J.-M. (1982). The value of information and related systems, products, and services. In: Ann. Rev. Inf. Sci. Tech. 17 (M. E. Williams, ed.), Knowledge Industry Publications, White Plains, NY, pp. 270-85. Hall, K. (1981). The economic nature of information. The Information Society 1, 143-66. Hayes, R. M. (1993). Measurement of information. IM. Processing & Management 29, 1-1 1. Hayes, R. M. and Borko, H. (1983). Mathematical models of information system use. Inf. Processing & Management 19, 173-86.
314
ABBE MOWSHOWITZ
Hayes, R. M. and Erickson, T.(1982). Added value as a function of purchases of information services. The Information Society 1, 307-38. Hintikka, J. (1984). Some varieties of information. Inf. Processing & Management 20.175-81. Hirshleifer, J. (1973). Where are we in the theory of information? Amer. Eco. Rev. 63, 31-9. Hoffmann, E. (1980). Defining information: an analysis of the information content of documents. Inf. Processing & Management 16,291-304. Hoffmann, E. (1982). Defining information-11. A quantitative evaluation of the information content of documents. Inf. Processing & Management 18, 133-9. Hoffman, M. S. (1991). The worldalmanacandbook of facts 1992. Pharos Books, New York. Innis, H. A. (1951). The bias of communication. University of Toronto Press, Toronto. King, D. W. (1982). Marketing secondary information products and services. J. Amer. SOC. InJ Sci. 32, 168-74. Kochen, M. (1984). Information science research: the search for the nature of information. J. Amer. Soc. Inf. Sci. 35, 194-9. Lamberton, D. M., ed. (1971). Economics of information and knowledge. Penguin Books, Harmondsworth, England. Lamberton, D. M. (1984a). The emergence of information economics. In: Communication and information economics: New perspectives (M. Jussawalla and H. Ebenfield, eds.). North-Holland, Amsterdam, pp. 7-22. Lamberton, D. M. (1984b). The economics of information and organization. In: Ann. Rev. In$ Sci. Tech. 19 (M. E. Williams, ed.). Knowledge Industry Publications, White Plains. NY, pp. 3-30. Langlois, R. N. (1982). Systems theory and the meaning of information. J. Amer. SOC. Inf. Sci. 32, 395-99. Machlup, F. (1962). The production and distribution of knowledge in the United States. Princeton University Press, Princeton, NJ. Machlup, F. (1980). Knowledge, its creation. distribution, and economic signifcance. Princeton University Press, Princeton, NJ. Machlup, F. and Mansfield, U., eds. (1983). The study of information. John Wiley & Sons, New York. Marion, L. (1992). The Datamation 100. Datamation 38(13), 13. Marshack, J. (1959). Remarks on the economics of information. In: Contributions to scientific research in management (Proceedings of the Scientific Program following the Dedication of the Western Data Processing Center). Graduate School of Business Administration, University of California, Los Angeles, January 1959. Marschak, .I. (1968). Economics of inquiring, communicating, deciding. Amer. Eco. Rev. 58, 1-18.
Marschak, J. and Radner, R. (1972). Economy theory of teams. (Cowles Foundation Monograph 22). Yale University Press, New Haven, CT. Marx, G. T. and Reichman, N. (1984). Routinizing the discovery of secrets: computers as informants. Amer. Beha. Sci. 27, 423-52. Mason, R. M. and Sassone, P. G. (1978). A lower bound cost benefit model for information services. Information Processing & Management 14, 71-83. McGuire, C. B. and Radner, R., eds. (1972). Decision and organization. North-Holland, Amsterdam. Meyer, L. B. (1957). Meaning in music and information theory. J. Aesthetics& Art Criticism 15.
Miller, J. G . (1960). Information input overload and psychopathology. Am. J. Psychiatry 116, 695-703.
Moles, A. (1958). Thbrie de I'lnformation et Perception esthetique. Flammarion, Paris.
INFORMATION AS A COMMODITY
31 5
Mosco, V. and Waskow, J., eds. (1988). Thepolitical economy of information. University of Wisconsin Press, Madison, WI. Mowshowitz, A. (1968a). Entropy and the complexity of graphs: I. An index of the relative complexity of a graph. Bull. of Math. Biophys. 30, 175-204. Mowshowitz, A. (1968b). Entropy and the complexity of graphs: IV. Entropy measures and graphical structure. Bull. of Math. Biophys. 30, 533-46. Mowshowitz, A. (1984). Computers and the myth of neutrality. In: Proc. 1984 ACM Computer Science Conference. Association for Computing Machinery, New York, pp. 85-92. Mowshowitz, A. (1992a). On the market value of information commodities: I. The nature of information and information commodities. J. Amer. SOC. Inf. Sci. 43(3), 225-32. Mowshowitz, A. (1992b). On the market value of information commodities: 11. Supply price. J. Amer. SOC. Inf. Sci. 43(3), 233-41. Mowshowitz, A. (1992). On the market value of information commodities: 111. Demand price. J. Amer. SOC. Inf. Sci. 43(3), 242-8. Norman, R. (1 987). Integrated development environments in support of information systems design methodologies and systems analysts’ productivity. PhD Dissertation, University of Arizona. Osgood, C. E., Suci, G. J., and Tannenbaum, P. H. (1957). The measurement of meaning. University of Illinois Press, Urbana, IL. Porat, M. U. (1977). The information economy. U.S. Department of Commerce, Office of Telecommunications, Washington, DC, May 1977. Priest, W. C. (1985). The character of information. Background Paper, Office of Technology Assessment, U.S. Congress, Washington, DC. Regan, E. J. (1986). The strategic importance of telecommunications to banking. Paper Presentation, TIDE 2000 Second Symposium Telecommunications, Information and Interdependent Economies, Honolulu, May 13, 1986. Repo, A. J. (1986). The dual approach to the value of information: an appraisal of use and exchange values. Information Processing & Management 22, 373-83. Repo, A. J. (1989). The value of information: approaches in economics, accounting, and management science. J. Amer. SOC. Inf. Sci. 40,68-85. Rouse, W. B. (1986). On the value of information in system design: a framework for understanding and aiding designers. Information Processing & Management 22, 217-28. Rule, J . B., McAdam, D., Stearns, L., and Uglow, D. (1980). Preserving individual autonomy in an information oriented society. In: Computers and Privacy in the Next Decade (L. J . Hoffman, ed.). Academic Press, New York, pp. 65-87. Schiller, H. I. (1981). Who knows: Information in the age of the fortune 500. Ablex Publishers, Norwood, NJ. Schiller, H. I., and Schiller, A. (1982). Who can own what America knows? The Narion, April 17, 1982, 461-63.
Schmid, A. A. (1985). A conceptual framework for organizing observations about parties interested in property. Background Paper, Office of Technology Assessment, U.S. Congress, Washington, DC. Shannon, C. E. (1948). The mathematical theory of communication. BellSyst. Tech. J., July &October. (Reprinted in The mathernatical theory of communication by C. E. Shannon and W. Weaver. University of Illinois Press, Urbana, IL, 1959.) Sigel, E. (1986). Is home banking for real? Dafamation 32, 128-. Silverstein, J. and Elwell, C. (1985). Database/Electronic publishing: Review and forecast. Knowledge Industry Publications, White Plains, NY. Sokol, P. K. (1989). EDI; The competitive edge. McCraw-Hill, New York.
31 6
ABBE MOWSHOWITZ
Stallings, W. (1985). Data and computer communications. Macmillan, New York. Strassman, P. A. (1985). Information payoff. Macmillan, New York. Taylor, R. S. (1982a). Value-added processes in the information life cycle. J. Amer. SOC. lnf. Sci. 32, 341-46. Taylor, R. S. (1982b). Organizational information environments. In: Information and the transformation of society ( G . P. Sweeny, ed.). North-Holland, Amsterdam, pp. 309-22. Taylor, R. S. (1986). Value-Added processes in information systems. Ablex Publishing, Norwood, NJ. U.S.Congress, Office of Technology Assessment (1986). Infellectualproperty rights in an age of electronics and information. U.S. Government Printing Office, Washington, DC. US. Congress, Office of Technology Assessment. (1987). Electronic supervisor: New technology, new tensions. U.S. Government Printing Office, Washington, DC. US. Congress, Office of Technology Assessment. (1990). Computer software and intellectual property (Background Paper). US. Government Printing Office, Washington, DC. U S . Congress, Office of Technology Assessment (1992). Global standards: Building blocks for the future. US. Government Printing Office, Washington, DC. U.S. National Commission on Libraries and Information Science (1982). Publicsector/private sector interaction in providing information services. U.S. Government Printing Office, Washington DC. Weber, J. and Coy, P. (1992). Look, Ma-no cable: it’s video by phone. Business Week 3281-611,94. Williams, M. E. (1985). Electronic databases. Science 228, 445-56. Winograd, T. (1975). Frame representation and the declarative/procedural controversy. In: Representation and understanding: Studies in cognitive science (D. G . Bobrow and A. Collins, eds.). Academic Press, New York. pp. 185-210. Winston, P. H. and Prendergast, K. A., eds. (1984). The AI business: Commercial uses of artificial intelligence. MIT Press, Cambridge, MA. Yovits, M. C. and Foulk, C. R. (1985). Experiments and analysis of information use and value in a decision-making context. J. Amer. SOC.In$ Sci. 36, 63-81. Yovits, M. C., Foulk, C. R., and Rose, L. L. (1981a). Information flow and analysis: theory, simulation, and experiments. I. Basic theoretical and conceptual development. J. Amer. SOC. I d . Sci. 31, 187-202. Yovits, M. C., Foulk, C. R., and Rose, t.L. (1981b). Information flow and analysis: theory, simulation, and experiments. 11. Simulation, examples, and results. J. Amer. SOC. lnf. Sci. 31, 203-10. Yovits, M. C., Foulk, C. R.,and Rose, L. L. (1981~).Information flow and analysis: theory, simulation, and experiments. 111. Preliminary Experiments and Analysis. J. Amer. SOC.In$ Sci. 31, 243-8.
Author Index Numbers in italics indicate the pages on which complete references are given.
A
Abdelhamied, K., I89 Abdel-Malek, A., I91 Abousleman, G. P., I91 Abu-Hanna, A., 132, I38 Adler, J., I91 Adouadi, M . , I90 Ahmed, F., 185, I93 Aikins, J . S., 166, 169, 180 Allemang, D., 93, 101, 114-116, 118, 138, I41 Almasi, G. S., 202, 243 Amarel, S., 81, I43 Amirinia, M . R., I94 Anabar, A., I87 Anabar, M., I87 Anbar, M., I91 Annaratone, M., 198, 243 Arkin, R. C., I94 Armstrong, J . , I90 Arnould, E., 198, 243 Arosio, E . , I93 Arrildt, W . D., I92 Arrow, K . J., 311, 312-313 Asgharzadeh, A., I91 Ash, R., 254, 3I3 Attikiouzel, Y . , I86 Attneave, F., 254, 313 Axline, S. G., 165, 168-169, I80 Ayala, D. E., 183-184 Aylor, J . H . , I81
B Babadi, A., I86 Bachem, A., 211, 244 Baer, W. S . , 313 Banerjee, U., 202, 243 Bankman, I . N., I87 Baranoski, B., I89 Barbier, J . Ph., I84 Baron, M., I94
Barr, R. C., I94 Batchelor, W . E., I94 Batini, C., 46, 69 Baumol, W. J . , 31,2,313 Baxter, B., 198, 243 Bearnson, G., I86 Bekey, G . A., I88 Bell, D. E., 12, 69 Bell, G. D., I85 Bellin, D., 299-300, 312, 313 Benachenhou, D., I87 Benaroch, L. M., I87 Benjamins, V. R., 132, I38 Berg, E., I84 Bergeron, B. P., I87 Bergstresser, P. R., I90 Bernard, M . , I83 Bernays, P., 254, 3I3 Bertino, E., 67, 71 Bertrand, D., I83 Bhatt, A. K . , I89 Bhatta, S., 122, I38 Biba, K. J . , 13, 69 Billbro, G. L., I92 Birnbaum, L., 97, I38 Biskup, J . , 9, 33, 69 Bissett, J . K . , 148, 154, 166, 168-169, 171, 180 Blanco, C., I83 Blum, R. L., 169, I80 Bobis, K . G., I87 Boehm, B. W . , 290, 313 Bohs, L . N., I94 Bond, W., 110-111, 119-120, I42 Bond, W. E., 111-112, I42 Bonnet, J.-C., 132, I38 Borchardt, G. C . , 132, I38 Borko, H., 312, 313 Bottoni, P., 183, I93 Bouchoucha, M . , 183-184 Boulding, K . E., 311, 313 Bowyer, K . W . , 97, I42
31 7
31 8
AUTHOR INDEX
Boyer, R., 112, 142 Bradford, D. F., 311, 313 Bradshaw, J . A., 132, 138 Brajnik, G., 86, 131, 138 Brand, M., 97, 138 Braunstein, Y. M., 311-312, 313 Breant, C. M., 187 Brillouin, L., 254, 313 Brobst, R. W., 190 Brock, G. W.,306, 313 Bronzino, J . D., 187 Brooks, D. H., 185 Brown, J . S., 82, 85, 139 Bruggemann, H . H., 33, 69 Buchanan, B. G., 165, 168-169, 180 Buchanan, J., 191 Burk, G., I88 Burke, D. J., 183 Burns, C., 313 Burns, R. K., 46, 61, 69 Bush, V., 268,313 Butler, K., 184 Bylander, T., 80, 83, 138
C Cade, J. F., 185 Cader, M., 187 Cagnoni, S., 181-182, 189 Canady, L. D., 191 Cappello, P. R., 201, 245 Card, D. N., 182 Carmony, L., 184, 194 Carnevale. F. A., 183, 185-186, 192 Ceri, S., 46, 69 Cervilla, J . R., I84 Chan, K. C. C., 187 Chandrasekaran, B., 77, 80-81, 84, 89-91, 93-95, 101, 102, 106-107, 112, 114-116, 118-124, 127, 132, 138-143 Chang, J. Y.,191 Chang, R.-C.,187 Chapman, D., 79, 139 Chausmer, A. B., 187 Chen, P. P., 4, 69 Chen, Z., 201, 243 Cheng, H. D., 185, 191, 193 Cheng, S. N.-C., 192 Cherry, C., 262, 313 Ching, J . Y.,187
Chitsakul, K., 183 Chittaro, L., 86, 131, 138-139 Chu, W. K., 194 Chu, W.W., 187 Churchman, C. W., 311,313 Cigada, M., 183 Cios, K. J., 187 Clark, D. D., 35, 69 Clarke, L. P.. 189 Clarkson, P. F., 182, 189 Clay, W., 183 Cleveland, H., 311, 313 Codd, E. F., 4, 69 Cohen, J., 313 Cohen, S. N., 165, 168-169, 180 Coleman, R. E., 194 Collet, C., 183, 185-186, I92 Collter, C., 183 Conigliaro, N., 187 Connolly, B., 181 Cook, G. B., 191 Cook, T. A., 183-184 Cooper, P., 97, 138 Cooper, R., 312,313 Coppini, G., 189 Cousins, S. B., 189 Cox, G., 198, 243 Coy, P., 306,316 Craig, D. M., 186 Craik, K., 131, 139 Crebbin, G., 186 .Crisman, E., 186 Cuervas-Mom, V., 183 Cugnenc, P. H., 183-184 Culver, T . L., 192 Cuppens, F., 41, 69 D
Dai, Z., 186 D'Arcy, S., 191 Darden, L., 126, 139 Davis, D. T., 192 Davis, R., 112, 139, 165, 168-169, 180 Dayhoff, R. E., 192 de Cristofaro, B., 183 de Graaf, C. N., 190 de Guili, A., 183 DeJongh, M., 110, 113, 119, 139 de Kleer, J., 82, 85, 100, 139
31 9
AUTHOR INDEX
Dell’Oca, M., 193 Delosme, J.-M., 201, 244 Denning, D. E., 3, 15-16, 39-41, 69, 71 Denning, P. J., 10, 70 Di Manzo, M., 139 DiMario, F., 192 Dingankar, A., 184 Dioguardi, N., 193 Di Stefano, A., 187 Ditschuneit, H., 188, 192 Dixon, J. R., 131, 143 Dobbins, R . W., 187-188, 190 Dobbs, G., 189 Dockx, S., 254, 313 Dooley, R. L., 184 Doster, W., 188, 192 Doyle, J., 78, 80, 142 Doyle, R. J., 132, 139 DueAas, A., 183 Duerer, H., 187 Dugan, J. B., 181 Duncan, J., 311, 313 Durdle, N. G., 182 Durre, K. P., 184 Dutta, S., 187 Duval, F., 185-186
Fernandez, E. B., 3, 10, 67, 69-71 Fernandez, J. R., 184 Fikes, R., 89, 120, 123, 139-140 Finanzon, M. R., 193 Fink, P. K., 112, 139 Finkelstein, S. M., 189 Fischer, R. S., 190 Fitch, L. L., 148, 154, 166, 168-169, 171, 180, 182
Floyd, C. E., Jr., 194 Forbus, K. D., 76, 82-83, 100, 140 Fortes, J. A. B., 198-199, 202, 205, 207, 210-213, 235-236, 243-245 Foulk, C. R., 316 Foyle, A., 191, 193 Fraga, J. M., 184 Franchi, S., 184 Frank, C. B., 185, 193 Franke, D. W., 95, 132, 140 Freeman, P., 120, 140 Frieder, G., 194 Frieder, O., 192, 194 Fries, R. C., 181 Fu, L.-M., 188 Fugini, M. G., 45, 70 Fumai, N., 183, 185-186, 192 Funnel, W. R. J., 194
E Eberhart, R. C., 187-188, 190 Ebisawa, Y., 184 Egbert, D. D., 188 Eichlin, M. W., 8, 71 Eiselt, K., 142 Ellingtion, W. W., 192 Elmasri, R., 45, 69 Elwell, C., 268, 289, 315 Epstein, W. V., 170, 181 Erickson, T., 312, 314 Evens, M., 184, 187, 189-190, 193-195 F
Fagan, L. M., 166, 169, 180 Fagan, L. W., 146, 177, 180 Fallat, R. J., 166, 169, 180 Faltings, B., 139 Favre, E., 183 Feigenbaum, E. A., 166, 169, 180 Fernald, K. W., 183, 184
G
Gage, H. D., 188 Ganapathy, K., 199, 205, 218, 230, 232-233, 235, 244 Gandy, 0. H., Jr., 305, 313 Garcia, L., 184 Garling, D., 187 Garvey, C., 44, 70 Garza, A. G. S., 142 Geckle, W. J., 190 Gero, J. S., 86, 131, 140 Gerth, W. A., 184, 185 Gino, A., 190 Ginsberg, M. D., 191 Giunchiglia, F., 139 Goel, A., 90-91, 94, 120, 122, 138-139 Goel, A. K., 89, 92, 96, 119, 121, 124-127, 140, 142-143
Goethe, J. W., 187 Goldenberg, I. F., 193 Gollapudy, C., 186
320
AUTHOR INDEX
Gonzalez, M. A., 183 Gonsalez-Arias, S. M., 190 Goodenday, L. S., 187 Goodman, P. H., 188 Gotlieb, C. C., 250-251,313 Gottesman, R. D., 183, 185, 192 Gottlieb, A., 202, 243 Graham, G. S., 10, 70 Green, C. C., 165, 168-169, 180 Greenshields, I. R., 192 Greer, J., 185 Greer, K. L., 194 Griffey, R. H., 191-192 Griffiths, J.-M., 311, 313 Griffiths, P. P., 10, 70 Grinberg, M., 136, 142 Groleau, F., 185 Gross, T., 198, 243 Grove, T. A., 181 Gruber, T.. 123, 139 Guan, S.-Y., 192 Gudes, E., 67, 70 Guez, A., 185, 193 Guibas, L. J., 231, 244 Guida, G., 131, 139 Guisado, R., 185
Heinlein, C., 188 Hemler, R. F., 191 Hermann, M. C., 185 Hermida, R. C., 183-184 Hier, D., 187 Hier, D. B., 195 Higgins, A., 186 Hill, T., 112, 142 Himley, S., 184 Hinke, T. H., 44, 70 Hintikka, J., 314 Hiriyannaiah, H. P., 192 Hirshliefer, J., 311, 314 Hodges, J., 98, 131, 133, 140 Hoffman, M. S., 305,314 Hoffmann, E., 314 Hommel, J., 187 Hoogendoorn, E. L., 188 Hsieh, J., 184 Hughes, C., 188 Hulton, L. V., 188 Hunt, J. E., 131, 140 Hunter, D. W., 188 Hurwitz, B. E., 184 Hwang, G. J., 188 Hwang, J.-N., 192
Guo, Y.,195 Guthrie, B., 191
I
H Haddab, S., 184 Hadzikadic, M., 188 Haigh, J. T., 36, 42, 70, 72 Hall, C. P., 193 Hall, K., 311,313 Hallenbeck, J. J., I81 Hamilton, D. L., 181 Hammer, G. S., 184 Han, S. A., 186 Harris, M., 192 Harrison, M. A., 10, 70 Hart, A., 183 Hauck, J. A., 184 Hawkins, R., 112, 142 Hayes, P., 76, 140 Hayes, R. M., 259, 310-312, 313-314 Haynes, R. B., 188 Heckman, M., 15-16, 39-41, 69, 71-72 Heimke, G., 184
Ideker, R. E., 193 Ieong, I. T., 187 Iglesias, T., 184 Ihlenfeldt, L. D., 181 Imperato, M., 184 Innis, H. A., 264, 314 Irani, E. A., 188-189 Irani, P., 194 ITSEC, 62, 70 Iwasaki, Y., 89-91, 93-95, 120, 122-124, 132, 139-141, 143
J Jajodia, S., 3, 15-16, 40-41, 66-67, 70 James, L. S., 186 Janowitz, P., 188 Jansweijer, W. N. H., 132, 138 Jarmin, R., 186 Jasiobedzki, P., 192 Jaszczar, R. J., 194 Jayakar, P., 189
AUTHOR INDEX
Jochem, W.J., 185 Johns, W.T., 190 Johnson, B. W.,181 Johnson, K. P., 124, 140 Johnson, W.L., 119, 140 Jordan, D. S., 131, 141 Jordan, R., 191 Josephson, J., 126, 141 Josephson, J. R., 119, 141
K Kaburlasos, V. G., 188 Kain, R. Y., 188 Kaindl, H., 86, 131, 141 Kamana, S., 186 Kamel, A., 111, 142 Kaneko, K., 184 Kang, I. E., 66, 70 Kanich, R. E., 193 Kannan, R., 211, 244 Karnegis, J. N., 148, 154, 166, 168-169, 171, 180
Kedem, Z. M., 205, 235-236.244 Keefe, T. F., 66-67, 70 Kelejian, H. H., 31 1, 313 Keuneke, A., 93, 95, 97, 102, 138, 141 Keuneke, A. M., 102, 106-107 Khanmoradi, H., 193 Kher, A., 191 Kim, H., 186 Kim. J. J., 188 Kim, W.,67, 71 King, D. W.,314 Kingsland, L. C., 166, 180 Kizakevich, P. N., I85 Knight, J. C., 181 Koch, P., 188 Kochen, M., 310, 314 Koechner, D., 191-192 Kogan, B., 66-67, 70 Kojima, S., 184 Kokol, P., 182 Komatsu, K., 193 Koster, A. S. E., 190 Kothapalli, B., 182 Kottmann, P., 192 Koumrian, T., 191 Kowarski, D., 188 Krakow, W.T., 194
32 1
Krieger, D., 188 Kriewall, T. J., 164, 180 Kudrimoti, A. S., 183 Kuhn, K., 188, 192 Kuipers, B., 82, 141 Kulikowski, C., 81, 143 Kumar, V., 186 Kung, H. T., 198, 205, 212, 231, 243-244 Kung, S. Y., 198, 231, 243-244 Kunz, J. C., 166, 169, 180 Kurak, C. W.,Jr., 193 Kuzmak, P. M., 192 1
Lachance, J., 185 Ladly, K., 185 Laird, J. E., 114, 125, 141 Lal-Gabe, A., 182 Lam, A., 192 Lam, M. S., 198, 243-244 Lamberton, D. M., 314 Lampson, B. W.,10, 14, 71 Landwehr, C. E., 71 Lang, T., 198, 243 Langlois, R. N., 314 Langton, K. B., 188 LaPadula, L. J., 12, 69 Laszewski, Z., 186 Laxer, C., 193 Layton, R., 186 Lazarou, K. X., 190 Ledford, C., 194 Ledley, R. S., 147, 180 Lee, C., 194 Lee, C.-Y., 184 Lee, E., 198, 243 Lee, H. S., 86, 131, 140 Lee, J. S.-J., 192 Lee, J. W.,183 Lee, P., 205, 235-236, 244 Leen, J. M., 181 Legate, A., 193 Leifker, D. B., 131, 141 Leisman, G., 188 Leo, F. P., 192 Leon, A. S., 148, 154, 166, 168-169, 171, 180
Lesser, R. P., 190 Leung, L. A., 189
322
AUTHOR INDEX
Levi, K. R., 120, 141 Levine, S. D., 193 Levy, A., 123, 139 Lewis, P. S., 231, 244 Li, C. W., 185 Li, G.-J., 205, 212, 218, 244 Li, X. Q., 191 Lief, R. C., 182 Lief, S. B., 182 Lin, Q., 186 Lin, W., 189 Lind, M., 131, 141 Lindberg, D. A. B., 166, 180 Link, K. M., 194 Liu, W., 182 Liu, Z.-Q., 185, 193 Liver, B., 114, 141 Livesay, R. R., 190 Livi, R., 181-182, 189 Llaberia, J. M., 244 Lo, S. C.. 231,244 Lodeiro, C., 184 Long, J. L., 164, 180 Long, J. M., 146, 148-149, 154, 156, 166, 168-169, 171, 180, 182, 188-189
Loomis, A.. 186 Lopez, C. N., 189 Lorin, M., 183 Losee, R. M., 193 Low, C. M., 123, 141 Luef, G., 3 , 21, 24, 71 Lunt, T. F., 3 , 15-16, 39-41, 67, 69, 71 Luo, s., 195 Luria, S. M., 185 Lusth, J. C., 112, 139, 189
M Ma, H.-N.N., 193 MacAulay, M. A., 191, 193 MacGill, I. F., 185 Machlup, F., 249, 314 Mahesh, K.,142 Malin, J. T., 131, 141 Maloney, D. L., 192 Malowany, A. S., 183, 185-186, 192 Manolakos, E. S., 185 Mansfield, E., 312,313 Mansfield, U., 314 Marion, L., 290, 314
Marschak, J., 250, 259, 314 Martin, P. A., 313 Martinez, R., 183, 193 Martini, L., 183 Marx, G. T., 205, 314 Masarie, F. E., 165-166, 180 Mason, R. M., 312, 314 Masson, E., 183 Matts, J. P., 148, 154, 166, 168-169, 171, 180, 188-189
Mattson, E. J., 189 Mayer, G., 189 McAdam, D., 304,315 McAllister, D. F., 182 McBryde, A. M., 185 McCalla, G., 185 McClunz, D. H., 166, 169, 180 McConnell, J. R., 194 McCormick, B. H., 192 McDermid, J. A., 66, 71 McDonald, C. T., 176, 180 McDowell, J. K., 112, 142 McGoldrick, J. P., 186 McGuire, C. B., 314 McLeod, D., 192 McMillan, M. M., 189 McQueen, L., 189 Medsker, L., 187 Meehan, G. V., 189 Meisel, A., 165, 180 Meng, T., 198, 243 Menzilcigoglu, O., 198, 243-244 Merkl, D., 67, 71 Messenheimer, J. A., 186 Meyer, L. B., 254,314 Michael, J., 190 Michael, J. A., 187, 189-190 Michael, P. A., 193 Middleton, L. T., 190 Millen, J. K., 9, 67, 71 Miller, A. R., 180 Miller, C. A., 120, 141 Miller, J. G., 254, 314 Miller, R., 165-166, 180 Miller, R. A., 165, 168-169, 180 Miller, T. K.. 183, 188 Miller, T. K., 111, 184 Mills, J., 186 Mirabella, O., 187 Mitra, S., 191
AUTHOR INDEX
Mittal, S., 80, 138 Miyakawa, T., 184 Moberg, D., 120, 126, 141 Mojon, A., 184 Moles, A., 254, 314 Montgomery, L. D., 184-185 Montgomery, R. W., 185 Moon, S. B., 193 Morales, J., 191 Morelli, R. A., 187 Morgenstern, M., 67, 71 Mosco, V . , 305, 315 Mouine, J . , 185-186 Mowshowitz, A., 257-258, 260-261, 264, 299, 311-312, 315 Mukkamala, R., 40, 70 Muiioz, A., 183 Murray, W. R., 141 Mussio, P., 183,193 Myers, G.A., 185 Myers, J. D., 165-166, 168-169, 180
N Naeymi-Rad, F., 184, 193-194 Naeymirad, S., 194 Nagel, J. H., 184 Nagle, H. T., 182, 186 Narayanan, H. R.,93, 139,141 Navarro, J. J., 244 Navathe, S. B., 45-46, 69,71 Navinchandra, D., 131, 141 Nayak, P., 123, 140 Nayar, S. K., 191 Naylor, W. C.,189 Nazarian, R. A., 186 Nemat, M., 193 Neumann, P. G.,64, 71 Nevo, I., 185,193 Newell, A,, 114, 120, 125, 140-141 Niclou, R., 185 Niemann, H., 189 Ni, L., 201, 244 Nii, H . P., 166, 169, 180 Nilsson, A. A., 193 Nissman, D. B., 185 Norman, K. L., 147, 180 Norman, R., 312, 315 Nose, Y., 184 Novak, B., 182
323 0
Oberst, B. B., 146, 156, 180 O’Brien, J. T.,42, 70 O’Hallaron, D., 198, 243 O’Kane, K. C.,147, 180 O’Keefe, M. T., 205, 212, 244 Olagunju, D. A,, 193 Orrison, W. W., 194 Osada, M., 193 Osborn, J. J., 166, 169, 180 Osgood, C.E., 256, 315 Ozdamar, O., 182, 189
P Packer, J. S., I85 Paliac, M. D., 171, 180 Pan, B., 189 Park, D. C.,190 Patil, R. S., 88, 141 Pattichis, C.S., 190 Paul, A., 185 Paulish, D. J., 182 Paulos, J. J., 183-184 Pearl, J., 75, 81, 142 Pearlman, W. A., 191 Pegah, M., 110-111, 119-120, 142 Peindl, R. D., 185 Peisner, D., 186 Pellegrini, C.,183 Perkins, J., 192 Perkowski, M., 193 Perlis, 97, 142 Pernul, G., 3, 9, 20-22, 24, 31, 45-46, 50, 61, 67, 71 Perreault, L. E., 146, 177, 180 Peterson, C.,198, 243 Peterson, J., 142 Peterson, L. L., 190 Petroni, M.,183,185-186, 192 Petrucci, K. E., 189 Petrucci, P., 189 Pierce, W. S., 186 Pierzchata, E., 193 Pietrogrande, M., 193 Pillutla, R., 186 Pittges, J., 142 Poli, R., 189 Poliac, M., 182
324
AUTHOR INDEX
Poliac, M. O., 189 Pope, H. E., 165, 168-169, 180 Porat, M. U., 249, 315 POSCH Group, 189 Pourmedhdi, S., 185-186 Prabhakar, S., 127, 142 Prakash, S., 194 Prampolini, F., 184 Prasad, B., 185 Prendergast, K. A., 316 Price, C. J., 131, 140 Priest, W. C., 264, 315 Pugh, W. M., 190 Purut, C. M., 186
Q Quint, S. R., 186 Quinton, P., 201, 244
R Rabitti, F., 67, 71 Radner, R., 250, 314 Ragan, D. P., 186 Rajala, S. A., 194 Rajgopal, K., 194 Ramakrishnan, K. R., 194 Ramirez, M., 191 Ramsby, G., 192 Rangayyan, R. M., 185, 193 Rao, N., 194 Rasure, J.. 192 Reddy, S. P., 184 Regan, E. J., 287, 315 Reggia, J. A., 166, 181 Reichert, M., 188 Reichman, N., 205,314 Reiger, C., 136, 142 Reilly, R. E., 194 Repo, A. J., 311,315 Reupke, W. A., 182 Rey, A., 184 Rey, H. R., 186 Ricci, F., 139 Riddle, R. T., 181 Rigterink, P. V., 182 Riordan, D., 191, 193 Rivlin, E., 97, 142
Robert, S., 194 Roberts, J. A.. 181 Robertson, G. G., 202,244 Rochlis, J. A., 8, 71 Roesner, D., 188, 192 Roger, K., 183, 185, 186, 192 Rogers, E., 194 Roggio, R. F., 194 Rosasco, K.,186 Rose, F., 120, 141 Rose, L. L., 316 Rosenbloom, P. S., 114, 125, 141 Rosenfeld, A., 97, 142 Rosenthal, R., 194 Rote, G., 231, 244 Roth, J. V., 185, 193 Rouse, W. B., 311,315 Rousseau, A., 192 Rovick, A., 190 Rovick, A. A., 187, 190 Roy, S. C., 194 Rozewski, C. M., 183 Rubinstein, P., 10, 72 Ruche, S. H., 193 Rule, J. B., 304,315 Russell, K. R., 185 Ruzo, W. L., 10, 70 S
Saab, E., 183, 192 Sacks, B., 194 Sacks, E. P., 78, 80, 142 Sagerer, G., 189 Salerno, D., 189 Salerno, D. M., 186 Salvador, C. H., 183 Samuels, W. B., 194 Sanders, J. A.. 194 Sanders, W. H.,183 Sandhu, R., 3 , 15-16, 41, 70 Santago, P., 194 Santel, D., 182 Sartirana, E.. 193 Sassone. P. G., 312, 314 Satti, J. A., 186 Sauer, T., 192 Sawan, M., 185, 186 Sawin, H. S., 148, 154, 166, 168-169, 171, 180
AUTHOR INDEX
Schaffer, K. F., 165, 180 Scheiderman, N., 184 Schell, R. R., 15-16, 39-41, 69, 71-72 Schellenberg, J. D., 189 Schiller, A., 268, 315 Schiller, H. I., 268, 315 Schizas, C. M.,190 Schmid, A. A., 265, 315 Schneider, R. H., 182 Schofield, I. S., 190 Schrijver, A., 208, 213-214, 244 Schwartz, M. D., 194 Schwartz, W. B., 88, 141 Sclabassi, R. J., 188 Scrimger, J. N., 191, 193 Seering, W. P., 134, 143 Sell, P. J., 72 Sembugamoorthy, V., 84, 89, 112, 132, 142 Shah, U. B., 191 Shamp, G. C., 166, 180 Shang, W., 199, 201-202, 207, 210-213, 235-236, 243-245
Shankar, M.,143 Shannon, C. E., 253, 315 Shapiro, L., 190 Sharma, M. K., 185 Shaw, R., 186 Shepard, B. M.,192 Sherman, C., 183 Sherman, K. R., 185 Shin, I., 187 Shockley, W. R., 15-16, 39-41, 69, 71 Shortliffe, E. H., 146, 165, 168-169, 177, 180
S h p , L.-Y., 184 Sibley, E., 15, 70 Siganporia, R., 185 Sigel, E., 315 Sigillito, V. G., 187 Silverstein, J., 268, 289, 315 Simborg, D. W., 170, 181 Simon, H. A., 78, 142 Simpson, E. V., 193 Slagle, J. R., 148, 154, 166, 168-169, 171, 180, 188-189 D., 183 D. M.,191 G. W., 46, 72 I. P., 194 J., 186
Smith, Smith, Smith, Smith, Smith,
325
Smith, J. W., Jr., 138, 142 Smith, K., 17, 72, 186 Smith, M. F., 194 Smith, P. K., 186 Smith, P. L., 187 Smith, W., 184 Smith, W. M.,193 Snyder, A. J., 186 Snyder, W. E., 192, 194 Soames, R. W., 194 Sokol, P. K.,307, 315 Solntseff, N., 188 Solomon, M.,162, 181 Somerville, A. J., 186 Song, H., 67, 70 Song, S. W., 198, 244 Soroka, B. J., 191 Southerland, D. G., 185 Spector, W. B., 182 Spiller, W. K., 193 Srini, K., 186 Srinivasa, N., 194 Srinivasan, E., 182 Stachour, P. D., 41-43, 70, 72 Stadbauer, H., 131, 142 Stallings, W., 268, 307, 316 Stark, L., 97, 142, 185 Steams, L., 304, 315 Steels, L., 112, 142 Stellakis, H. M.,185 Stetson, D. M., 185, 190 Stevenson, J. P., 148, 154, 166, 168-169, 171, 180
Sticklen, J., 110-112, 119-120, 142-143 Sticklen, J. H., 134, 142 Stiglic, B., 182 Stockett, M. H., 191 Stoeger, K. J., 181 Stoll, C., 8, 72 Stonebraker, M.,10, 72 Strand, E. M.,190 Strang, G., 207-208, 244 Strassman, P. A., 268, 316 Strickland, T. J., Jr., 194 Stroulia, E., 121, 125-126, 143 Stytz, M. R., 192, 194 Suci, G. J., 256, 315 Summers, R. C., 10, 69 Sun, J., 111, 143 Swobodnik, W., 188, 192
326
AUTHOR INDEX
Sycara, K.. 131, 141 Syh, H. W., 194 Szabo, Z., 190 Szolovits, P., 88, 141 Szu, H., 187
T Ta, N. P., 186 Taka, R. K., 187 Takatani, S., 184 Takeda, H., 131, 143 Tang, J.-X., 189 Tannenbaum, P. H., 256,315 Tanner, M. C., 102, 106-107 Tao, T. F., 39, 72 Tasso, C., 86, 131, 138-139 Taube, J. C., 186 Tavakoli, N., 191, 195 Tawara, K., 193 Taylor, C. J., 192 Taylor, R. S., 311, 316 TCSEC, 38, 62-63, 72 TDI, 38, 62, 72 Teague, S. M., 185 Tennison, M. B., 186 Thadani, S., 127, 143 Tham, K. W., 86, 131, 140 Thomas, M. M., 189 Thompson, B. G., 191 Thompson, C. D., 231, 244 Thompson, K., 8, 72 Thomsen, D. J., 36, 72 Thuraisingham, B., 41, 43, 72 Thuraisingham, M. B., 67, 70, 72 Tjoa, A. M., 9, 20, 22, 50, 71 Tomiyama, T., 131, 143 Tompkins. W. J., 195 Tonkonogy, J. M., 190 Toppano, E., 86, 131, 138-139 Toth, S., 97, 111, 119, 130, 143 Toups, T. L., 42, 70 Trace, D., 194 Trace, D. A., 184, 193 Trahey, G . E., 195 Trautmann, C., 182 Trenz, S. A., 189 Trevino, H., 183 Trucco, E., 139 Tsai, W. T., 67, 70
Tseng, S. S., 188, 190 Tucker, L. W., 202,244 Tufankji, R., 112, 142 Tuhrim, S., 166, 181 Tzen, T., 201, 244
U Ucci, D. R., I84 Uglow, D., 304,315 Ulman, J. D., 10, 70 Ulrich, K. T., 134, 143 Umeda, Y., 131, 143 U. S. Congress, Office of Technology Assessment, 268, 305, 312, 316 U. S. National Commission on Libraries and Information Science, 265, 316 Ushikubo, T., 184 V Vagnucci, A. H., 186 Valero-Garcia. M., 244 Valero, M., 198, 243-244 Valli, G., 189 Van Dongen, V., 201, 244 Verma, T. S., 75, 142 Vescovi, M., 89, 120, 140, 143 Viergever, M. A., 190 Vincken, K. L., 190 Votteri, B. A., 166, 169, 180 W
Wada, T., 195 Wade, B. W., 10, 70 Wah, B. W., 199, 202, 205, 218, 230, 232-233, 235, 243-244
Wakefield, J. S., 161, 181 Walter, D. C., 189 Wang, C. H., 190 Wang, G.-N., 195 Wang, K., 187 Wang, S., 193 Wang, T. P., 186 Warger, A., 170, 181 Warren, D., 41, 71 Warwick, W. J., 189
327
AUTHOR INDEX
Waskow, J., 305, 315 Waterman, D. A., 166, 168-169, 177, 181 Webb, J., 198, 243 Webb, J. A., 198, 243 Webber, W. R. S., 187, 190 Weber, J . , 306, 316 Weed, L. L., 161, 181 Weintraub, M. A., 124, 143 Weisman, P. R., 189 Weiss, S., 81, 143 Weiss, W. J., 186 Welch, R. V., 131, 143 Weld, D., 78, 93, 143 Weschler, J. G., 188 Westervelt, F. H., 186 Westin, A. F., 147, 181 Whiting-O’Keefe, Q. E., 170, 181 Wick, M. R., 189 Wick, M. W., 148, 154, 166, 168-169, 171, 180 Wiederhold, G., 146, 177, 180 Wilcox, G. L., I89 Wiley, P., 198, 243 Williams, M. E., 268, 289, 316 Wilson, D. R., 35, 69 Wilson, J., 43, 72 Wilson, K., 190 Winiwarter, W., 50, 71 Winograd, T., 311, 316 Winslett, M.,17, 72 Winston, P. H . , 316 Wischnewsky, M. B., 187 Wise, R. A., 187 Wiseman, S., 46, 72 Wittenber, J., 182 Wittwert, C., 187 Woelk, D., 67, 71 Wolf, P. D., 193 Woll, R., 182 Wong, A. K. C., 187 Wong, Y., 201, 244
Woo, C. W., 190 Wood, C., 10, 69 Wood, H., 185 Workman, K. B., 192 Worley, J . S., 194 Wreder, K., 190 Wu, A., 44, 70 Wu, Y. C., 184 w u , z . , 195
X Xing, Z., 202, 244 Xue, J., 205, 226, 245
Y Yaacoby, Y., 201, 245 Yahnke, D., 183 Yamamoto, C., 189 Yang, Z., 211-212, 245 Yaylali, I., 189 Yazdanian, K., 41, 69 Yien, C., 185 Yoon, Y. O., 190 Yoshikawa, H., 131, 143 Young, R. M.,132, 138 Yovits, M. C., 316
Zanetti, J. M.,186, 189 Zanetty, J., 182 Zemmler, T . , 188 Zhang, Y., 190 Zhang, Y.-T., I85 Zhao, D., 195 Zhao, J., 187 Zhao, W., 191 Zombatfalvy, D. A., 181 Zumer, V., 182
This Page Intentionally Left Blank
Subject Index
A
Adapted mandatory access control model, 19-33 advantages, 19 assigned classifications, 28-29 automated security labeling support, 21 catalog relations, 30-31 decomposition, 26-28 fragmentation policy, 23-25 logical design, 20 required security conditions, 25-26 requirements analysis and conceptual design, 20, 22 security enforcement, 21 security object, 20-21 select trigger, 31-32 Algorithm-specific parallel processing, 197-242 algorithm model, 199-201 conflict-free mappings, 207-21 1 general parameter method, 217-230 applications, 230-240 constraints, 222-226 data-input conflict, 225-226, 233 design method, 226-230 parameters, 219-222 mapping problem, 204-207 notation, 199 relation to nested-loop programs, 202-203 time-optimal mappings without computational conflicts, 21 1-217 Ambiguity, handling, 79-80 Artificial intelligence glossary, 172 in medicine, expert systems, 165-177 building, 171-174 current status, 176-177 definition, 168-169 examples, 169-17 1 overview, 166-1 68 strengths and weaknesses, 174-176 qualitative reasoning, 83
ASD-Views, 43-45 Authorization, cascading, 11 Automated medical records systems, 161-1 62
B Banking, information commodities in, 287 Business users, information commodities, 302-303 C
Causal knowledge, compiled, 77 Causal models, 74-75 Causal nets, 81-82 Causal packages, 75 Causal process description, 86, 93-95 design verification, 122-124 generating, for new devices, 127-128 representing problem solvers, 125 Causal processes handling ambiguity, 79-80 qualitative device models, 82-84 Causal story, 74 Causal structures, nondynamic, functional representation generalization to, 129-131 Clark and Wilson model, 35-37 Clinical assessment and risk evaluation, 162- 163 Commodity carriers, information commodities, 302 Commodity producers, information commodities, 301-302 Commodity vendors, information commodities, 302 Communications engineering, origins of selective information, 253-254 Computer programs, debugging, 114-1 19 using device understanding, 117-1 19 Computer-related illnesses, 159
329
330
SUBJECT INDEX
Conceptual data model, multilevel security, 45-61 characteristics, 45 classification constraints, 50-57 aggregation, 55-56 association-based, 54-55 complex, 52-53 content-based, 51-52 inference, 56-57 level-based, 53-54 simple, 50-51 conceptual model, 61 consistency and conflict management, 57-58 modeling example application, 58-61 rule base, 58-59 security semantics concepts, 47-50 Conflict-free mappings, algorithm-specific parallel processing, 207-21 1 Consumer groups, information commodities, 304-305 Control, computer-based medical systems, 151-153 Cost reduction, in information commodities, 298-299 Credit reporting, information commodities in, 288-289
D Database relational, 5-6 design, 5 Database security, 1-86 adapted mandatory access control model, 19-33 availability, 2 conceptual data model, multilevel security, 45-61 definition, 2 discretionary models, 9-1 1 functional criteria, 64 future directions, 65-68 integrity, 2 major threats, 7-8 mandatory models, 11-18 mandatory access controls, 11-13, 18 multilevel secure relational data model, 13-18 models, 37-38
multilevel secure prototypes and systems, 38-45 ASD-Views, 43-45 Lock Data Views, 41-43 SeaView, 39-41 personal knowledge approach, 33-35 requirements, 2-3 standardization and evaluation efforts, 62-65 terminology, 6-7 Decision-theory model, market value of information, 250-25 1 Demand price, estimating, information commodities, 294-298 Design use of functional representation, 119-124 verification, functional representation, 122- 124 Discretionary access controls, 9-1 1 Discretionary security models, 9-1 1 Distribution, information commodities, 273-274, 282
E Economy, information in, 249-250 Electronic information industry, information commodities in, 289 Entity-relationship model, 5 , 22, 46 graphical extensions, 48-49 Expert systems, see Artificial intelligence, in medicine
F Functional representation, 84-13 1 applications computer programs, debugging, 114- 119 device libraries, 119 diagnostic reasoning, 112-1 19 generating causal explanation by simulation, 102-109 parametric simulation, 110-1 11 representation of scientific theories, 126 representing problem solvers as devices, 124- 126 uses in design, 119-124 causal process description, 86
SUBJECT INDEX
components, 89-99 causal process description, 93-95 device structure, 90-92 functions, 95-99 passive functions, 97 states and partial states, 92-93 generalization to nondynamic causal structures, 129-131 generating, for new devices, 127-129 logic of understanding, 137 noncausal links, 89 overview, 85-89 qualifiers, 89 related work, 131-133 research agenda, 133-136 Functional representation theory, 75 G
General parameter method, algorithmspecific parallel processing applications, 230-240 constraints, 222-226 data-input conflict, 225-226, 233 design method, 226-230 parameters, 219-222
H Hermite normal form, 209-21 1 Human-based products, information commodities, 279-280 Human qualitative reasoning, 76-77
I Illness, computer-related, 159 Imaging systems, computer-based medical systems, 163-164 Industry associations, information commodities, 303 Information as ability, 257-259 characteristics, 259-260 in economy, 249-250 market value, 250-252 new definition, 257-261 representation, 260-261 selective, 252-255 structural, 255-257
33 1
Information carriers, 267 Information commodities, 247-3 10 in banking, 287 business and professional users, 302-303 commodity carriers, 302 commodity producers, 301-302 commodity vendors, 302 in credit reporting, 288-289 definition, 261-262 in electronic information industry, 289 estimating supply prices, 283-286 improved taxonomy, 266-267 interest groups consumer groups, 304-305 industry associations, 303 organized labor, 305 public information providers, 304 in manufacturing, 286-287 regulation, 305-306 politics, 309-3 10 in securities trading, 288 in software industry, 289-291 standards, 306-309 types, 265-266 using applications, 299-301 cost reduction possibility determination, 298-299 estimating demand price, 294-298 production digraph model, 292-294 user as producer, 291-292 value-added model, 268-269 applications general-purpose products, 278-279 human-based products, 279-280 information exchange products, 276-278 new products suggested by, 282-283 potential product enhancement analysis, 280-282 distribution, 273-274 kernel, 269-272 presentation, 274-276 processing, 272-273 storage, 272 versus other commodities, 262-265 behavior of market value, 264-265 sharing versus exchange, 262-264 Information exchange products, 276-278 Information explosion, medical, 158
332
SUBJECT INDEX
Information theory, universality, 254-255 INTERNIST, 165
K Kernel, information commodities, 269-272 Key property, 5
L Labor, organized, information commodities, 305 Libraries, technical domain, functional representation, 119 Litigation, medical information and,
Medicine, in information age airline analogy, 149-151 issues, 147-149 litigation, 153-154 managing information explosion, 158 nature of medical computing, 155-158 regulation and control, 151-153 structure of medical care, 154-155 Multilevel secure relational data model, 13-18
integrity properties, 15-18 Jajodia-Sandhu model, 15 polyinstantiation, 14-15 MYCIN, 165-166
153-154
N
Lock Data Views, 41-43
M Mandatory access controls, 11-13 structural limitations, 18 Manufacturing, information commodities in, 286-287 Mapping problem, algorithm-specific parallel processing, 204-207 Market value, information, 250-252 Matrix-multiplication algorithm, 208,
Nested-loop programs, relation to algorithm-specific parallel processing, 202-203
0
Ontology commonsense, 76 scientific, 76
213-21 7
Medical devices, computer-based medical systems, 164-165 Medical systems, computer-based, 145-180, see ulso Artificial intelligence, in medicine automated medical records systems, 161- 162 clinical assessment and risk evaluation, 162- 163
computer-related illnesses, 159 future, 177-179 imaging systems, 163-164 issues, 147-149 legal and ethical, 158-159 medical devices, 164-165 overview, 146 privacy and security, 158-159 special characteristics of clinical databases, 156-157 validation, regulation and standardization, 159-160
P Personal knowledge approach, 33-35 Clark and Wilson model, 35-37 Presentation, information commodities, 274-276, 282
Privacy, computer-based medical systems, 158
Processing, information commodities, 272-273, 282
Production digraph model, 292-294, 299-300
Productivity model, market value of information, 251-252 Professional users, information commodities, 302-303 Public information providers, information commodities, 304
Q Qualitative device models, 82-84
SUBJECT INDEX
R Reasoning diagnostic functional representation, 112-1 19 need for models, 80-81 human modeling, 78 prediction, 78-80 qualitative, 76-77 variety of phenomena, 137 Redesign need to, 120 subtasks, 120-121 Referential integrity property, 5 Regulation, computer-based medical systems, 151-153, 160 Relational data model, 4-6 S
Scientific theories, representation, 126 SeaView, 39-41 Securities trading, information commodities in. 288 Security, see also Database security computer-based medical systems, 158-159 constraints, 50-57 aggregation, 55-56 association-based, 54-55 complex, 52-53 content-based, 5 1-52 inference, 56-57 level-based, 53-54 simple, 50-5 1 object, 6-7, 20-21 policy, 6 enforcement, 10 semantics, concepts, 47-50 subject, 7 Simulation, generating causal explanation, 102-109 Software industry, information commodities in, 289-291
333
Standards computer-based medical systems, 159-160 database security, 62-65 information commodities, 306-309 State abstractions, 93 State description languages, 92-93 States, 92-93 shape-based, 93 Storage, information commodities, 272, 28 1-282 Supply price, estimating, information commodities, 283-286 Systolic processing, constraint equations, 222-224
T Time-optional mappings, without computational conflicts, algorithm-specific parallel processing, 21 1-217 Trojan horse attacks, 7-8, 11
U Uniform dependence algorithm, 199-200
V Validation, computer-based medical systems, 160 Value-added model, information commodities, 268-269 applications general-purpose products, 278-279 human-based products, 279-280 information exchange products, 276-278 new products suggested by, 282-283 potential product enhancement analysis, 280-282 distribution, 273-274 kernel, 269-272 presentation, 274-276 processing, 272-273 storage, 272
This Page Intentionally Left Blank
Contents of Volumes in This Series
Volume 1
General-Purpose Programming for Business Applications CALVINC. GOTLIEB Numerical Weather Prediction NORMAN A. PHILLIPS The Present Status of Automatic Translation of Languages YEHOSHUA BAR-HILLEL Programming Computers to Play Games ARTHURL. SAMUEL Machine Recognition of Spoken Words RICHARDFATJ~HCHAND Binary Arithmetic GEORGEW. REITWIBSNER Volume 2
A Survey of Numerical Methods for Parabolic Differential Equations JR. JIMDOUOLAS, Advances in Orthonormalizing Computation PHILIPJ. DAVISAND PHILIPRABINOWITZ Microelectronics Using Electron-Beam-Activated Machining Techniques KENNETHR. SHOULDERS Recent Developments in Linear Programming SAUL I . GASS The Theory of Automata: A Survey ROBERTMCNAUGHTON Volume 3
The Computation of Satellite Orbit Trajectories SAMUEL D. CONTE Multiprogramming E. F. CODD Recent Developments in Nonlinear Programming PIULIP WOLF6 Alternating Direction Implicit Methods GARRETBIRKHOFF, kCHhRD s. VARGA, AND DAVIDYOUNG Combined Analog-Digital Techniques in Simulation HAROLDF. SICRAMSTAD Information Technology and the Law REEDC. LAWLOR Volume 4
The Formulation of Data Processing Problems for Computers WILLIAM C. MCGEE
335
336
CONTENTS OF VOLUMES IN THIS SERIES
All-Magnetic Circuit Techniques DAVIDR. BENNION AND HEWITTD. CRANE Computer Education HOWARDE. TOMPIUNS Digital Fluid Logic Elements H. H. GLAETTLI Multiple Computer Systems WILLIAM A. CURTIN Volume 5
The Role of Computers in Election Night Broadcasting JACKMOSHMAN Some Results of Research on Automatic Programming in Eastern Europe TURSKI WLADYSLAW A Discussion of Artificial Intelligence and Self-organization GORDONPASK Automatic Optical Design ORESTESN. STAVROUDIS Computing Problems and Methods in X-Ray Crystallography CHARLESL. COULTER Digital Computers in Nuclear Reactor Design ELIZABETH CUTHILL An Introduction to Procedure-Oriented Languages HARRY D. HUSKEY Volume 6
Information Retrieval CLAUDEE. WALSTON Speculations Concerning the First Ultraintelligent Machine IRVINGJOHNGOOD Digital Training Devices CHARLESR. WICKMAN Number Systems and Arithmetic HARVEYL. GARNER Considerations on Man versus Machines for Space Probing P. L. BARGELLINI Data Collection and Reduction for Nuclear Particle Trace Detectors HERBERTGELERNTER Volume 7
Highly Parallel Information Processing Systems JOHNC. MURTHA Programming Language Processors RUTHM. DAVIS The Man-Machine Combination for Computer-Assisted Copy Editing WAYNEA. DANIELSON Computer Aided Typesetting WILLIAM R. BOZMAN
CONTENTS OF VOLUMES IN THIS SERIES
337
Programming Languages for Computational Linguistics ARNOLD C. SATTERTHWAIT Computer Driven Displays and Their Use in Man/Machine Interaction h D R f E S VAN DAM Volume 8
Time-shared Computer Systems THOMASN. P m , JR Formula Manipulation by Computer JEANE. SAMMET Standards for Computers and Information Processing T. B. STJiEL, JR. Syntactic Analysis of Natural Language NAOMI SAGER Programming Languages and Computers: A Unified Metatheory R. NARASIMHAN Incremental Computation LIONELLO A. LOMBARDI Volume 9
What Next in Computer Technology? W. J. POPPELBAUM Advances in Simulation JOHNMCLEOD Symbol Manipulation Languages PAUL w.ABRAHAMS Legal Information Retrieval AVIEZRIS. FRAENKEL Large Scale Integration-An Appraisal L. M. SPANDORFER Aerospace Computers A. S. BUCHMAN The Distributed Processor Organization L. J. KOCZELA Volume 10
Humanism, Technology, and Language CHARLES DECARLO Three Computer Cultures: Computer Technology, Computer Mathematics, and Computer Science PETER WEGNER Mathematics in 1984-The Impact of Computers BRYANTHWAITES Computing from the Communication Point of View E. E. DAVID,JR. Computer-Man Communication: Using Computer Graphics in the Instructional Process P. BROOKS,JR. FREDERICK Computers and Publishing: Writing, Editing, and Printing ANDRIESVAN DAMAND DAVIDE. RICE
338
CONTENTS
OF VOLUMES IN THIS SERIES
A Unified Approach to Pattern Analysis ULFGRENANDBR Use of Computers in Biomedical Pattern Recognition ROBERTS. LEDLEY Numerical Methods of Stress Analysis WILL~AM PRAGER Spline Approximation and Computer-Aided Design J. H. AHLBERG Logic per Track Devices D. L. SLOTNICK Volume 11
Automatic Translation of Languages Since 1960: A Linguist’s View HARRY H. JOSSELSON Classification, Relevance, and Information Retrieval D. M. JACKSON Approaches to the Machine Recognition of Conventional Speech KLAUS W. OTTEN Man-Machine Interaction Using Speech DAMDR. HILL Balanced Magnetic Circuits for Logic and Memory Devices R. B. KIEBURTZAND E. E. NEWHALL Command and Control: Technology and Social Impact ANTHONY DEBONS Volume 12
Information Security in a Multi-User Computer Environment JAMESP. ANDERSON Managers, Deterministic Models, and Computers G. M. FERRERO DIROCCAFBRRERA Uses of the Computer in Music Composition and Research HARRYB. LINCOLN File Organization Techniques DAVIDC. ROBERTS Systems Programming Languages D. P. SHECHTER, R. D. BERGERON, J. D. CANNON, F. W. TOMPA,AND A. VAN DAM Parametric and Nonparametric Recognition by Computer: An Application to Leukocyte Image Processing JUDITHM. S. PREWTT Volume 13
Programmed Control of Asynchronous Program Interrupts hcmm L. WEXELBLAT Poetry Generation and Analysis JAMES JOYCE Mapping and Computers PATRICIA FULTON
CONTENTS OF VOLUMES IN THIS SERIES
339
Practical Nautical Language Processing: The REL System as Prototype AND BOZENAHENISZTHOMPSON FREDERICK B. THOMPSON Artificial Intelligence-The Past Decade B. CHANDRASEKARAN Volume 14
On the Structure of Feasible Computations J. HARTMANIS AND J. SIMON A Look at Programming and Programming Systems T. E. CHEATHAM, JR., AND JUDYA. TOWNLEY Parsing of General Context-Free Languages SUSAN L. G m AND MICHAELA. HARRISON Statistical Processors W. J. POPPELBAUM Information Secure Systems DAVIDK. HSIAOAND RICHARD1 . BAUM Volume 15
Approaches to Automatic Programming ALAN W. BIERMANN The Algorithm Selection Problem JOHN R. RICE Parallel Processing of Ordinary Programs DAVIDJ. KUCK The Computational Study of Language Acquisition LARRYH. REEKER The Wide World of Computer-Based Education DONALDBITZER Volume 16
3-D Computer Animation CHARLES A. CSURI Automatic Generation of Computer Programs NOAHS. PRYWES Perspectives in Clinical Computing KEVINC. O'KANEAND A. HALUSKA The Design and Development of Resource-Sharing Services in Computer Communication Networks: A Survey SANDRAA. MAMRAK Privacy Protection in Information Systems REINTURN Volume 17
Semantics and Quantification in Natural Language Question Answering W. A. WOODS Natural Language Information Formatting: The Automatic Conversion of Texts to a Structured Data Base NAOMISAGER
340
CONTENTS OF VOLUMES IN THIS SERIES
Distributed Loop Computer Networks MINGT. Lnr Magnetic Bubble Memory and logic TIENCHI CHENAND Hsu C W G Computers and the Public’s Right of Access to Government Information ALAN F. WESTIN Volume 18
Image Processing and Recognition A~RIBL ROSENPELD Recent Progress in Computer Chess MONROEM. NEWBORN Advances in Software Science M. H. HALSTEAD Current Trends in Computer-Assisted Instruction PATRICSIJPPES Software in the Soviet Union: Progress and Problems S. E. GOODMAN Volume 19
Data Base Computers DAW K. H s u o The Structure of Parallel Algorithms H. T. KUNG Clustering Methodologies in Exploratory Data Analysis RICHARD DUBESAND A. K. JAIN Numerical Software: Science or Alchemy? C. W. GEAR Computing as Social Action: The Social Dynamics of Computing in Complex Organizations ROBKLING AND WALT SCACCHI Volume 20
Management Information Systems: Evolution and Status GARYW. DICKSON Real-Time Distributed Computer Systems W. R. FRANTA,E. DOUGLAS JENSEN,R. Y. KAIN, AND GEORGED. MARSHALL Architecture and Strategies for Local Networks: Examples and Important Systems K. J. THURBER Vector Computer Architecture and Processing Techniques W HWANG,SHUN-PIAO Su, AND LIONELM. NI An Overview of High-Level Languages JEANE. SAMMET Volume 21
The Web of Computing: Computer Technology as Social Organization ROB&IN0 AND WALT SCACCHl Computer Design and Description Languages SUBRATA DASGUPTA
CONTENTS OF VOLUMES IN THIS SERIES
34 1
Microcomputers: Applications, Problems, and Promise ROBERTC. CAMMILL Query Optimization in Distributed Data Base Systems GIOVANNI MARIASACCOAND S. B ~ N YAO G Computers in the World of Chemistry PETERLYKOS Library Automation Systems and Networks JAMES E. RUSH Volume 22
Legal Protection of Software: A Survey MICHAELC. GEMIGNANI Algorithms for Public Key Cryptosystems: Theory and Applications S. LAKSHMNARAHAN Software Engineering Environments ANTHONY I. WASSERMAN Principles of Rule-Based Expert Systems BRUCEG. BUCHANAN AND RICH~~RD 0. DLJDA Conceptual Representation of Medical Knowledge for Diagnosis by Computer: MDX and Related Systems B. CHANDRASEKARAN AND SANlAY MITTAL Specification and Implementation of Abstract Data Types ALFST. BERZTISSAND SATISH THATTE Volume 23
Supercomputers and VLSI: The Effect of Large-Scale Integration on Computer Architecture LAWRENCE SNYDER Information and Computation J. F. TRAUBAND H. WOZNIAKOWSKI The Mass Impact of Videogame Technology THOMASA. DEFANTI Developments in Decision Support Systems ROBERTH. BONCZEK, CLYDEW. HOLSAPPLE, AND ANDREW B. WHINSTON Digit1 Control Systems PETER DORATOAND DANIELPETERSEN International Developments in Information Privacy G. K. GUPTA Parallel Sorting Algorithms S. LAKSHMIVARAHAN, SLJDARSHAN K. DHALL,AND LESLIEL. MILLER Volume 24
Software Effort Estimation and Productivity S. D. CONTE,H. E. DUNSMORE, AND V. Y. SHEN Theoretical Issues Concerning Protection in Operating Systems MICHAELA. HARRISON Developments in Firmware Engineering AND BRUCED. S ~ R SUBRATA DASGUPTA
342
CONTENTS OF VOLUMES IN THIS SERIES
The Logic of Learning: A Basis for Pattern Recognition and for Improvement of Performance RANANB. BANERJI The Current State of Language Data Processing PAUL L. GARVIN Advances in Information Retrieval: Where is That /#*&@a Record? DONALDH. KRAFT The Development of Computer Science Education WILLIAM F. ATCHISON Volume 25
Accessing Knowledge through Natural Language AND GORDON MCCALLA NICKCERCONE Design Analysis and Performance Evaluation Methodologies for Database Computers R. STRAWSER STEVENA. DEMURJIAN,DAVIDK. Hsuo, AND PAULA Partitioning of MassiveIReal-Time Programs for Parallel Processing I. LEE, N. PRYWES, AND B. %i”sKI Computers in High-Energy Physics MICHAEL METCALF Social Dimensions of Office Automation ABBE MOWSHOWITZ Volume 26
The Explicit Support of Human Reasoning in Decision Support Systems AMITAVA DUTTA Unary Processing A. DOLLAS,J. B. CLICKMAN, rn C. O’TOOLE W. J. POPPELBAUM, Parallel Algorithms for Some Computational Problems ABHAMOITRAAND S. SITHARAMA IYENGAR Multistage Interconnection Networks for Multiprocessor Systems S. C. KOTW Fault-Tolerant Computing WINGN. TOY Techniques and Issues in Testing and Validation of VLSI Systems H. K. REGHBATI Software Testing and Verification LEEJ. WHITE Issues in the Development of Large, Distributed, and Reliable Software ATULPRAKASH, VUAYGARG,TSUNEOYAMAURA,AND C. V. RAMAMOORTHY, ANUPAM BHIDE Volume 27
Military Information Processing JAMESSTARKDRAPER Multidimensional Data Structures: Review and Outlook S. SITHARAMA IYENOAR, R. L. KASHYAP, V. K. VAISHNAVI, AND N. S. V. RAo Distributed Data Allocation Strategies ALAN R. HEVNERAND ARUNARAo
CONTENTS OF VOLUMES IN THIS SERIES
343
A Reference Model for Mass Storage Systems STEPHENW. MILLER Computers in the Health Sciences KEVINC. O’KANE Computer Vision AVUEL ROSENWLD Supercomputer Performance: The Theory, Practice, and Results OLAFM. LUBECK Computer Science and Information Technology in the People’s Republic of China: The Emergence of Connectivity JOHNH. MAIER Volume 28
The Structure of Design Processes SUBRATA DASCUPTA Fuzzy Sets and Their Applications to Artifical Intelligence ABRAHAM KANDEL AND MORDECHAY SCHNEIDER Parallel Architecture for Database Systems A. R. HURSON,L. L. MILLER,S. H. PAKZAD, M. H.EICH, AND B. SHIRAZI Optical and Optoelectronic Computing MIR MOJTABAMIRSALEHI, MUSTAFA A. G. ASUSHACUR, AND H.JOHNCAULFIELD Management Intelligence Systems MANFRED KOCHEN Volume 29
Models of Multilevel Computer Security JONATHAN K. MILLEN Evaluation, Description and Invention: Paradigms for Human-Computer Interaction JOHNM. CARROLL Protocol Engineering Mmc T. Lnr Computer Chess: Ten Years of Significant Progress MONROENEWBORN Soviet Computing in the 1980s RICHARDw.JUDY AND ROBERTw.CLOUCH Volume 30
Specialized Parallel Architectures for Textual Databases A. R. HURSON,L. L. MILLER,s. H. PAKZAD,AND JIA-BINGCHENC Database Design and Performance MARKL. GILLENSON Software Reliability IANNINO AND JOHND. MUSA ANTHONY Cryptography Based Data Security GEOROEI. DAVDA AND Yvo DESMEDT Soviet Computing in the 1980s: A Survey of the Software and Its Applications RICILWJW. JUDY AND ROBERTw.CLOUCH
344
CONTENTS OF VOLUMES IN THIS SERIES
Volume 31
Command and Control Information Systems Engineering: Progress and Prospects STEPHEN J. ANDRIOLE Perceptual Models for Automatic Speech Recognition Systems RENATODEMORI,MATHEWJ. P a m , AND PIEROCOSI Availability and Reliability Modeling for Computer Systems DAVIDI. HEJMANN,NITINMITTAL,AND KISHORS. TRIVEDI Molecular Computing MICHAELCONRAD Foundations of Information Science ANTHONY DEBONS Volume 32
Computer-Aided Logic Synthesis for VLSI Chips SABUROMUROGA Sensor-Driven Intelligent Robotics MOHANM. TRIVEDIAND CHUXIN CHEN Multidatabase Systems: An Advanced Concept in Handling Distributed Data A. R. HURSONAND M. W. BRIGHT Models of the Mind and Machine: Information Flow and Control between Humans and Computers KENTL. NORMAN Computerized Voting ROYG . SALTMAN Volume 33
Reusable Software Components BRUCEw.WEIDE. WILLIAM F. OGDEN,AND STUART H. ZWEBEN Object-Oriented Modeling and Discrete-Event Simulation BERNARD P. ZIEGLER Human-Factors Issues in Dialog Design THUGARMAN P ~ A N I V EAND L MARTINHELANDER Neurocomputing Formalisms for Computational Learning and Machine Intelligence S . GULATI,J. BARHEN,AND S. S. IYENGAR Visualization in Scientific Computing THOMAS A. DEFANTIAND MAXINED. BROWN Volume 34
An Assessment and Analysis of Software Reuse TED J. BIWERSTAFF Multisensory Computer Vision AND J. K. AGCARWAL N. NANDHAKUMAR Parallel Computer Architectures RALPHDUNCAN Content-Addressable and Associative Memory LAWRENCE CHISVLN AND R. JAMESDUCKWORTH Image Database Management AND RAIN MEHROTRA WILLIAM I. GROSKY
CONTENTS OF VOLUMES IN THIS SERIES
345
Paradigmatic Influences on Information Systems Development Methodologies: Evolution and Conceptual Advances AND HEINZK. KLEIN RUDYHIRSCHHEIM Volume 35
Conceptual and Logical Design of Relational Databases S. B. NAVATHE AND G. PERNUL Computational Approaches for Tactile Information Processing and Analysis HRISHIKESH P. GADAGKAR AND MOHANM. TRIVEDI Object-Oriented System Development Methods ALANR. HEVNER Reverse Engineering AND CHARLES H. MAY,JR. JAMESH. CROSS11, ELLIOTJ. CHIKOFSKY, Multiprocessing CHARLES J. FLECKENSTEIN, D. H. GILL,DAVIDHEMMENDINGER, C. L. MCCREARY, JOHND. MCGREOOR,ROYP. PARGAS,ARTHURM. RIEHL,AND VIRGIL WALLENTINE The Landscape of International Computing E. GOODMAN, AND HSINCHLJN CHEN EDWARDM. ROCHE,SEYMOUR Volume 36
Zero Defect Software: Cleanroom Engineering HARLAND. MILLS Role of Verification in the Software Specification Process MARVIN V. ZELKOWITZ Computer Applications in Music Composition and Research GARYE. WITTLICH,ERICJ. ISAACSON, AND JEFFREY E. HASS Artificial Neural Networks in Control Applications V. VEMURI Developments in Uncertainty-Based Information GEORGE J. KLIR Human Factors in Human-Computer System Design MARYCAROLDAYAND SUSANJ. BOYCE Volume 37
Approaches to Automatic Programming CHARLES RICHAND RICHARDC. WATERS Digital Signal Processing STEPHENA. DYERAND BRIANK. HARMS Neural Networks for Pattern Recognition S. C. KOTHARI AND HEEKUCK OH Experiments in Computational Heuristics and Their Lessons for Software and Knowledge Engineering JURGNIEVERGELT High-Level Synthesis of Digital Circuits GIOVANNI DE MICHELI Issues in Dataflow Computing BENLEEAND A. R. HURSON A Sociological History of the Neural Network Controversy MUCELOLAZARAN
CONTENTS OF VOLUMES IN THIS SERIES Volume 38
Database Security GUNTHHR PERNUL Functional Representation and Causal Processes B. CHANDRASEKABAN Computer-Based Medical Systems JOHN M. LONG Algorithm-Specific Parallel Processing with Linear Processor Arrays JOSE A. B. FORTES, BENJAMIN W. WAH, WEIJU S w a , AND KUMAR N. GANAPATHY Information as a Commodity: Assessment of Market Value ABBE MOWSHOWITZ
This Page Intentionally Left Blank
