The meaning conveyed by XML fragments to people was analysed in my 2005 Extreme paper [Wrightson05] using a simple toolkit based on situation semantics. This paper brings that analysis together with the logic of information flow discussed in relation to topic maps in my 2001 Extreme paper [Wrightson01]. Examples are drawn from work undertaken by an international corporation to automate key inter-territory informational interactions such as employee transfers, and interoperability standards for electronic health records.
This paper does not claim to provide a full semantic framework, rather, the aim is to use two real examples as a motivating context for gaining a better understanding of how humans and machines can and do communicate meaningfully about our complex and incompletely known world using relatively simple signals such as XML documents. This paper explores these examples of interoperability using situation semantics and the model of information flow in Barwise & Seligman's "Logic of Information Flow" [BarSel97]
Readers new to situation semantics may find it useful to read the overview and brief guide to further reading in my 2005 paper [Wrightson05] before proceeding further.
Although semantic interoperability between information systems (IS) is often described functionally, perhaps even more important is for information that passes from one IS to another to retain its meaning, that is, to communicate effectively across space, time and IS boundaries. Semantic interoperability is an emergent whole-system property of distributed information systems that is difficult to specify exactly, even in simple situations, because of the wide range of contextual factors and data transformations that may play a part.
By now, considerable informal practical evidence has accumulated to justify the commonly held opinion that transferring XML data conforming to a shared specification, for example an XML schema plus a shared understanding of its expected usage, provides a reasonably effective way of achieving semantic interoperability between disparate information systems. However, many members of the markup languages community have become only too familiar with the practical problems that arise when the information concerned is complex, or its significance is heavily dependent on context.
This is a real business, however for the purposes of this paper it is referred to as XYZ corporation. Within a broader Enterprise Architecture strategy, XYZ's Global IT unit has developed an Enterprise Data Architecture (EDA) to facilitate the exchange of information between systems and territories. The EDA contains in particular a small number of Data Object Models representing those few common denominators of business information that are both fundamental to the business and used in multiple systems. These Data Object Models include numerous object attributes whose values are controlled, and this is expressed by referencing standardized vocabularies. A few of these vocabularies are industry standards, however most are XYZ global standards, and the establishment of these vocabulary standards has been a major part of the effort required to establish a usable EDA.
A Data Services approach based on Service Oriented Architecture (SOA) principles provides a practical way to implement common data services for key inter-territory interactions such as employee transfer, across numerous diverse information systems. The value of the XYZ's Data Object Models within their SOA is that they provide a reference semantics for the data services, independent of operational and platform considerations.
For practical interoperability, data services have to transfer data in some specific data format, and in this case XML was adopted as a widely used industry standard. In order to provide a sound framework for implementing the data services, the Data Object Models (simply-structured relational models) are implemented as an XML Data Catalogue containing W3C XML schema components, together with example schemas and instances (prototypical data service payload schemas and instances) that reflect the content and structure of the Data Object Models. The final step for actual interoperability is that operational data services are defined following these exemplars, and the interoperating systems equipped to handle the resulting XML data.
The standardized vocabularies have their own Data Object Model, together with a uniform simple XML representation for download by territory IT organizations, and are disseminated with a stylesheet to convert this format into an XML schema component (enumerated type). The latter option is only expected to be used in practice for smaller vocabularies; the larger ones are more likely to be assimilated into local enterprise systems for interactive use by humans and computers.
Healthcare information has high inherent complexity, and the essential role of shared conceptual models and vocabularies has long been recognized. There are by now several successive generations of industry standards in this area. Ontologies are growing in popularity as a way to represent the extensive shared understanding required for meaningful transfer of information of this complexity, and the field of bioinformatics has played a leading (though by no means exclusive) role in recent ontology research [Ont1].
Context in interoperability is an inherently difficult problem, a close relative of the "frame problem" in classic AI, and is usually handled in practice by overall interaction design combined with some ability to refer to information that is known (or assumed) to be in the sending or receiving system already. Relationships between information items (simple or complex) are important for modelling context and large scale structure of recorded information; explicit analysis of the kinds of relationships modelled within ontologies [Ont2] is one of the ways in which this is being addressed in health informatics, especially for capturing (relatively) invariant aspects of context.
There is also a newer interoperability challenge, the threat to meaningful persistence from the sheer quantity of information that is accumulating in electronic health records. Summary records and "dashboard views" are often used to good effect, however the long-term preservation of the utility and integrity of a summary record is not necessarily straightforward, and loss of meaningful access to stored information is unfortunately becoming well known as a causal factor in harm caused to patients by medical treatment.
Consider this simple tale of healthcare information flow. Pat Wrekin lives in Shropshire, and is generally in good health. Pat visits his GP and local hospital regularly for check-ups, as part of a planned programme of care for Type 2 diabetes (a local implementation of the UK Diabetes National Service Framework). While on holiday in Derbyshire, Pat goes out walking alone. He is found by another walker lying unconscious and injured, apparently due to a fall, and is taken to A&E at the local hospital. Luckily, they are able to contact Pat's GP and find out something useful...
This highly structured, specialized human-to-human communication can be accounted for in situation semantics terms in a similar way to the telephone conversation about JJ's transfer described below. However, what is more interesting here is how it works when the information is conveyed via electronic health record systems (EHR) using shared interoperability standards. The overall situation in this case is illustrated below:
The arrow linking the two EHRs is the main point of interest. An XML message travels from one EHR system to another, conveying (amongst other things) the information that Pat Wrekin has Type 2 diabetes. In order to do this effectively, the format and content of the message must be well understood by both systems. The next but one section of this paper takes a look "under the hood" at how and why this works, using the model of information flow in Barwise & Seligman's "Logic of Information Flow" [BarSel97]
Consider the following situation:
When an employee (John Jonathon Jones, known as JJ) moves from being employed in the UK territory of XYZ corporation to being employed in the Canadian territory, an XML document is sent from the UK territory data centre to the Canadian territory data centre, containing key human resources (HR) information: name, unique personnel identifier, grade, nationality etc.
Consider first what would be needed for the information about JJ's transfer to be communicated by telephone between individuals in the two regions.
“ John Jonathan Jones will be transferring from the UK territory to Canada on 1st September 2006; he will be based in Ottawa; his employee number is 1122334455; his grade is Manager... ”
This communication depends in particular on two situations known to (individuated by, in situation semantics terminology) both the speakers: this specific employee transfer; and the generalized situation of inter-territory employee transfer. The specific transfer of JJ is the described situation; the generalized inter-territory employee transfer situation is a resource situation (you can think of this as shared knowledge used as a reference). There are three other situations that figure from a situation semantics point of view: the utterance situation is the situation of speaking an utterance whose semantics is being considered, eg “ He is Manager grade ” ; this in turn is part of the discourse situation, the full communication about JJ's transfer. There is also an embedding situation, in this case the whole telephone conversation including initial and closing social chat.
This kind of well-practised human-to-human communication is, in many business situations, giving way to data exchange; telephone calls between people who know their job well are being replaced by XML messages between computers that can handle quantities of intricate data but have no common sense whatsoever. How can this possibly succeed?
If I were to look at the XML document (such as the example below) as an outsider, then I would probably realize that it is, for example, about some particular John J Jones who is uniquely identified by the personnel identifier and is of the stated nationality - however, unlike the receiving system, I would certainly not then know what internationally recognized company accounts sign-off responsibilities, let alone what Canadian salary range, was applicable to this individual. Full understanding of what is being said depends on access to the surrounding context. In situation theory terms, the full meaning of the XML data transfer is provided by an analogous structure to the situations involved in the telephone conversation, as follows.
This particular employee transfer between territories is the described situation; the generalized employee transfer situation, including XYZ's rules for what information is transferred, is a resource situation; other resource situations include XYZ corporation's grading scheme, enterprise architecture, XML Data Catalogue, controlled vocabularies and so on. The utterance situation is the situation of sending this data as an instance of an "employee transfer" data service; the discourse situation: is the whole (multi-layered) realization of the "employee transfer" data service; the embedding situation is the broader context of XYZ's general business model, network connexions, technology platforms etc.
A key aspect of the explanation of meaningful communication outlined above, is that resource situations play a vital role, embodying shared knowledge such as accounts signoff responsibilities, and represented in information systems by XYZ corporation's enterprise architecture, XML Data Catalogue, and controlled vocabularies.The principal puzzle under investigation in this paper can be stated as: How is it that data artefacts are able to serve this purpose in a situation such as a data service implemented as the transfer of an XML document? It is actually rather odd that data is so readily able to serve as a means of sharing knowledge, especially about parts of the world that are outside any computer.
One aspect of this rather strange proprety of structured data is discussed in my 2001 Extreme paper [Wrightson01], that is, that XML based information transfer exemplifies the dependence of information flow on uniformities, that is, suitable structural similarities, between data structures perceived (individuated) at each end of the flow. These similarities are characterized (drawing on the account in The Logic of Information Flow, [BarSel97]) as a local logic at each end of the information flow; information can only flow when the local logics at each end of the flow are related by suitable constraints.
This correspondence between resource situations and local logics is not accidental, indeed local logics are intended as (amongst other things) a formal model of resource situations.
Bringing these two (2001 and 2005) viewpoints together, what can now be said to explain the efficacy of shared XML schemas, vocabularies etc in mediating the shared understanding necessary to imbue the employee transfer message between XYZ's UK and Canadian territories with real-world meaning?
Here is a simple XML implementation (loosely based on HR-XML) of the example HR information described above, assumed to form a part of a larger message that effects the employee transfer between the two territory HR information systems:
<EmployeeTransferData> <PersonName> <GivenName>John</GivenName> <PreferredGivenName>JJ</PreferredGivenName> <MiddleName>Jonathon</MiddleName> <FamilyName>Jones</FamilyName> </PersonName> <PersonnelIdentifier>1122334455</PersonnelIdentifier> <Grade>Manager</Grade> <Nationality>UK</Nationality> </EmployeeTransferData>
The intended meaning of the message as sent from the UK territory HR system depends on (at least) the resource situations indicated below:
This may seem trivial and obvious, however it is only so if the capability of XML messages to convey real-world information is itself regarded as obvious rather than problematic. If you are with me so far, then let's take one more step: What kinds of things are these resource situations, and what kind of relationships are needed between the resource situations at either end of the message transfer, to support meaningful communication?
According to Barwise & Seligman's Principle 3, It is by virtue of regularities among connections that information about some components of a distributed system carries information about other components. In the case of the XML mediated information flow we are discussing here, these connexions are the correspondences in structure and content between (all or part of) XML documents held in different parts of the system, in particular, between the copies of the XML message held by the sender and receiver, and between these and the respective territory information systems. What is the nature of these connexions?
Consider the XML message itself. The rules of equivalence of well-formed XML documents mean that even the basic level of faithful transmission of the message from sender to receiver is not simply a matter of reproducing a string of character data. However, normalization was invented to stop this problem being a nuisance, so it will be ignored from here on.
Consider the Nationality vocabulary. This is a list of names of nationalities recognized globally within XYZ corporation. An instance of a member of this vocabulary is able to convey real-world information about an actual employee because these names of nationalities are not only uniformly represented across XYZ corporation, but also correspond to actual nationalities (outside the computer). In short, the Nationality vocabulary serves as a shared ontology of nationalities of employees - and we see that the notion of a local logic supporting information flow re-emerges naturally, as logical models of ontologies are well known.
Consider the employee grade. The value (Manager) is likely to be a term representing a leaf node of a hierarchical classification (taxonomy). In order for the significance of the grade value to be fully understood by the receiving system, not only must the term itself (Manager) be recognized as a grade term, but the classification structure of grades must also be known. This kind of structure is often modelled as a more complex kind of ontology, again with a logical model.
Consider the XML schema that describes the structure of the message, and in particular the fragment shown. Purely in relation to XML message instances, the schema can be regarded in (at least) two ways: as instructions to a schema-validator regarding how to construct a validation-machine for such messages; or alternatively as declarative knowledge concerning a structurally similar class of XML documents. Both these viewpoints on a schema - but more naturally the latter - can be modelled as logical theories.[MQDR03]
The shaded resource situations on the receiving side represent exactly those ways in which the message is understood differently by the receiver, that is, the different policy on employee names, and the local salary structure. The policy on employee names provides a simple example of how the relationship between the local logics involved models the information flow that is effected by the XML message. Say for example (fictitiously) that the UK employee name model includes a preferred given name, that may be different from any given name. Conversely, the Canadian employee name model includes the ability to provide a language-specific variant. Considering each model as an ontology, neither can be fully modelled in the other, however in each direction a faithful partial (forgetful) mapping can be made. The information flow that can be supported between the systems concerning employee names is both enabled and constrained by the relationship between these two models.
The account outlined above for transfer across a global network applies equally to conveying information across time, that is, persistence of information. Long data life relative to technology platform lifecycles, together with platform incompatibilities between different companies needing to process the same data, were the original motivation in the development of generic coding in markup languages and its subsequent standardization in SGML, so it is no surprise that there is no significant difference in principle between XML-mediated data transfer and persistence. In the same way as described above for data transfer, retrieving old data and understanding it depends on having a sufficiently full and faithful mapping between the schemas, vocabularies etc that would have been used to interpret the original data, and what is available now.
These aspects are just a small part of the web of complex interrelationships in semantic infrastructure - both inside and outside computers - that sustain actual information flows. In particular, it is pretty clear why faithful communication of non-trivial information is hard: even a very simple example of information flow involves a number of factors that all need to work closely together to enable meaningful communication.
In Barwise & Seligman's account (outlined in 2.2 and 2.3 of [BarSel97]), information flow between two disparate (logical) systems is effected via mappings (“infomorphisms”) to a third (logical) system serving as an information channel. This is a straightforward and natural formalization of the familiar situation where standardized, shared information (often but not necessarily in XML) provides interoperability, within a well-defined scope, between two disparate information systems. The aim of this section is to apply the abstract concepts described by Barwise & Seligman to two common ways of achieving interoperability: the establishment of a shared repository of records referenced by different systems, and direct exchange of messages. Both the shared record and the message are assumed to be in XML, however the minimum necessary for the first example is that the record should be in some specific form that is known to both parties.The second example goes deeper into the underlying models and specifications involved in ensuring the information is accurately conveyed.
Consider a situation where the healthcare and social care of vulnerable elderly people in some town is co-ordinated via a shared care record populated (selectively) with information from both healthcare and social care organizations. Our example case is Mrs Amy Upton, Pat Wrekin's eldelry aunt, and the “business as usual” configuration of information about her in these three systems is as follows
As well as being regularly updated from each system, the shared care record mediates between concepts in the other two systems, for example mapping the formal identifier (NHS number) used in one system to the less formal identification (name and address) used in the other. Making sure that the shared record is up to date involves mapping information from a record type in each source system (patients enrolled in shared care, and clients on the shared care scheme, respectively) into a corresponding record type in the shared record repository. Finding Amy Upton's home care plan using the healthcare system to access the shared record is, in contrast, a relationship between individual records. Such pairs of correlated relationships between types and individual items constitute infomorphisms ([BarSel97], p32).
This situation, where the information channel (the shared record) is simple and fully specified, is in line with Barwise & Seligman's initial proposal on page 35. For example, provided our shared care scheme is operating normally (and this of course includes human actions as well as information held on computers), a clinician, seeing that Mrs Upton (patient 1000100100) is enrolled in the shared care scheme, also knows (it carries the additional information that) she has a home care plan.
The main functional difference between a direct message and the shared record discussed above, is that with a direct message there is no brokering or mediating functionality (such as identifier cross-mapping) in the interoperability layer between the two systems, just a data transfer that conforms to a shared specification. In a typical architecture supporting such messaging, each information system has a gateway component that translates information received in the shared interoperability format into the internal structure of the specific information system.
Looking at this from a modelling rather than a functional perspective, each system has an interoperability model that enables its internal data to be mapped to the common interoperability specification. These correspond to local logics in Barwise & Seligman's account.
The caveat just made suggests the danger of an infinite regression. 1 1 This is always a possibility when relating logical models to the real world. At some point there has to be a quasi-arbitrary decision that the semantic framework being used is good enough for the intended purpose. In healthcare, there is a broad consensus that the standard required is pretty high, and there is a strong tradition of formal terminologies, ontological models, reference information models etc to underpin families of specific interoperability standards.
The next section looks at part of one such framework.Having used a simple example in this section to illustrate how the concepts of informorphism and local logic reflect the operation of simple interoperability solutions, the next section takes the other way around, using these concepts of information flow to explore how a more complex interoperability “stack” needs to interrelate in order to support faithful flow of information.
The “stack” used in this section owes some of its structure to work in progress at the time of writing within HL7, a specialist standards development organization for healthcare information exchange, to improve the general usability and XML realization of interoperability standards in the HL7v3 family of standards. Having said that by way of acknowledgment, what follows is not part of any HL7 specification, and is presented here without prejudice to ongoing work in HL7.
The overall structure of the stacks involved in each application, and in the interoperability layer, is shown below.
Moving from a functional perspective to a modelling perspective, a strict loosely coupled black box concept of interoperability connects the model stacks in the interoperating systems at the bottom layer only, relying on the integrity of the internal stack of each system to ensure that common data yields common meaning to expert users. This is illustrated below.
However, only relatively simple structured data standards can be fully black box. The black box principle is weakened in practice for complex information because the guarantees required for handling the information at each end imply a fair bit of inside information about the interoperating systems. A simple example in healthcare is clinical coding, where informal descriptions of conditions, procedures and so on are made precise and machine-comparable through the use of comprehensive clinical terminologies such as SNOMED CT (SnCT). Although SnCT contains a large number of predefined specific terms, there are still situations where a full description depends on associating several SnCT terms together in a structured way, for example to associate a procedure type, the site where it was performed, and the exact therapeutic substance used (this is often referred to as post-coordination). The difference between "I performed procedure B at site A using substance C" and "I administered substance C at site A using procedure B" is fairly trivial to an expert human reading textual notes. However, using corresponding coded representations of these different descriptions of similar actions across records in our two interoperating information systems is likley to have the consequence that they cannot be identified for information retrieval purposes as examples of the same kind of thing. When patient care is relying on clinical records that are shared across different healthcare systems, full retrieval of, for example, medication information is important for patient safety, so this is a very important practical problem.
How much and what kind of standardization is needed between information systems to ensure that interoperability works in practical terms? This is an area where early adopters of the HL7v3 standards are at the leading (bleeding?) edge. The coding example above is typical of the kind of discussions ongoing in England (in HL7 UK and elsewhere) with the aim of putting in place enough standardization for effective interoperability of a national summary clinical record without undue burdens on vendors and integrators of local clinical systems. What this amounts to from a modelling perspective is that the simple black box interoperability stack illustrated above does not provide enough to guarantee interoperability, that is, supporting relationships are necessary at one or more intermediate levels as well, for example as shown below.
Effective supporting relationships can be provided in many ways. For example, staying outside the computers altogether, procedural guidance for clinical coding could be issued to system users mandating a particular order for applying concept types in constructing composite codes. In this paper, of course, the interest lies more in common models that would be specified in an interoperability standard, and realized in some way within each conforming information system.
Each of the arrows in the preceding diagram can be thought of as an infomorphism. Going down the central stack, the models become more and more specific, that is, say more about what they describe, and apply to fewer real-world information artefacts. For example, a Domain Analysis Model would contain generic concepts used in, say, Diagnostic Imaging; information regarding the information items required for a specific interaction would be in a Message Information Model; and the XML model would describe how this information would be presented in the ordered structure of an XML document.
In Barwise & Seligman's account (p44), this relationship between a more specific and a more generic model, expressed as local logics, is called refinement. 2 2 Looking at the preceding diagram from this perspective, it is attractive to conjecture that semantic integrity of the grey-box interoperability represented by this ladder-like structure would correspond to commutativity of the corresponding formal structure with the arrows considered as infomorphisms, and the models considered as local logics. At each layer, just as in the direct messaging example analysed above, conclusions can be drawn within the information channel C about and only about those aspects of B that are faithfully mapped into C, and sound conclusions can be drawn within A about and only about those aspects of C that have been faithfully mapped from A into C. Because of this, at each level information flow via C provides semantic interoperability if and only if the mapping of B into C and the mapping of A into C overlap within C in a way that is semantically sound for both A and B. For dependable interoperability, i.e. in order to preserve soundness and completeness as far as the desired communication is concerned, this would mean that at each level there is a fully specified model within C of the desired interoperability; and that this model is faithfully mapped to by equivalent models within A and B (bearing in mind that the models in both A and B will have lots of other content as well).
The framework for information flow provided by Barwise and Seligman provides a convincing account of the conditions required for interoperability. Though well short of a full formal analysis, the sketches above do provide quite rigorous criteria for interrelationships between models that are fit for purpose in this context, and it is hoped that these will be useful in taking forward the work in progress in HL7.
Taking this formal analysis a stage further would entail the construction and analysis of detailed mappings between formalizations of domain models, message implementation models and XML models. Unfortunately, analytical formal models in computer science tend to be more complex than their subject matter, and added to the inherent complexity of healthcare information this would lead to a formal model designed to represent a realistic interaction being too cumbersome to be useful, even if possible to construct. This suggests that a next step would be to look for formal analysis techniques that would abstract out the specific characteristics in each layer of a stack that are critical for sound interoperability, and allow the construction of tractable layered models for verification.
An unexpected bonus for me of developing this paper has been finding a natural context for considering well-formed XML documents, shared vocabularies and XML schemas as all having models in logic(s). These have of course all been modelled theoretically in this way for some time, however the relevance and value of doing so was not clear to me before gaining the understanding expressed in this paper. Other justifications for modelling XML using logic are discussed in the work of Sperberg-McQueen, Dubin & Renear, eg [MQDR03].
For discussion of a related issue in models of situation theory, see Jon Barwise's paper Situations, Sets and the Axiom of Foundation in his collection of papers The Situation in Logic [Bar89]
Similar to (but not to be confused with) the concept of refinement used in the computer science field of formal methods, where a process of refinement goes from a more abstract formal specifcation to a more directly implementable model.
[Bar89] Barwise, The Situation in Logic, CSLI publications, Stanford University, 1989
[BarSel97] J Barwise and J Seligman, Information Flow; the Logic of Distributed Systems, Cambridge UP 1997
[Devlin91] K Devlin, Logic and Information, Cambridge UP 1991
[MQDR03] David S. Dubin and Allen Renear & C. M. Sperberg-McQueen, Addressing Obstacles to the Retrieval of Structured Documents, July 2003; University of Illinois at Urbana-Champaign report ISRN UIUCLIS- -2003/1+EPRG
[Ont1] Baclawski & Niu, Ontologies for Bioinformatics, MIT Press 2006
[Ont2] Smith et al, Relations in biomedical ontologies, Genome Biology 2005, 6:R46 The electronic version of this article is the complete one and can be found online at http://genomebiology.com/2005/6/5/R46
[Wrightson01] A Wrightson, Some Semantics for Structured Documents, Topic Maps and Topic Map Queries, Extreme Markup Langauges 2001
[Wrightson05] A Wrightson, Semantics of Well Formed XML as a Human and Machine Readable Language, Extreme Markup Langauges 2005