Bechtel Electronic Time Record

A Three-Tiered Application Success Story

by Christopher Waterson & Menachem Sendowski

Abstract

Using Gupta SQLWindows and Oracle7, Bechtel Corporation and Terrace Systems Corporation have jointly implemented a corporate time recording application that is currently in use by over 3,500 Bechtel employees, and is targeted to be in use by all 16,000 non-manual employees by the end of 1995.

The Bechtel Electronic Time Record (BETR) system uses a unique three-tiered client server architecture we call "light-client" client-server: a front-end presentation layer is used for managing user interaction, an application layer processes requests from the front-end and implements business logic, and a database layer serves as a repository for business information. Our original motivations for selecting this design were:

• To support scaleable on-line transaction processing.
• To support multiple interface layers, including graphical, host-based, voice response, and optical character recognition.
• To produce reusable application components that could be shared among similar systems.
• To centralize information security and control.
• To minimize network interaction.

Once the high-level design had been completed, we drafted Oracle7 stored procedure interface specifications and formed two application development teams. The "front end" team concentrated on building a solid SQLWindows application that was easy and intuitive to use. The "back end" team concentrated on implementing the business logic of the application. The two teams worked independently and in parallel, and only saw the fruits of the other's labor in the final stages of development. From inception to production, the project took close to 8 months, and involved four full-time programmers for a period of about one month.

In this article, we review the three-tiered client-server architecture in detail. We expand on the development methodology which we used to build the application. We discuss specific design considerations and implementation details, including application partitioning and encapsulation. Finally, we review the success of our implementation, highlighting both positive and negative aspects of the architecture as implemented in a real-world system.

Overview

BETR was born as a business initiative to reduce Bechtel's payroll and labor overhead processing costs by replacing the paper-based manual time recording system with an automated equivalent. As system designers, our goal was to produce an easy-to-use application that could be accessed by each employee within the organization from his or her desktop computer.

As such, BETR is a functionally simple application that provided several interesting technical challenges.

• The core system consists of a single business application that involves a few simple operations that are repetitively invoked by many concurrent users. This kind of application is referred to as an on-line transaction processing (OLTP) application.
• Bechtel uses a bi-weekly time recording cycle, during which many employees are prone to wait until the end to record their time. Even with this drastically asymmetrical loading pattern, we still needed to maintain an acceptable "service level" for all users.
• Due to the disparity in hardware throughout the enterprise (Intel286 and up, Macintosh), the application had to be supported in both graphical and host-based environments. In addition, future directions dictated that we be able to support voice response and optical character recognition (OCR) mechanisms for recording time.
• Time record data is used to drive both the payroll, labor distribution, and billing processes, and is used as supporting documentation for audits; hence, this information must be guarded against tampering by malicious users. As Bechtel is a government contractor, the system had to conform to DCAA standards and was audited for compliance.
• Time record validation logic relies on information that must be available to the system, but is generally considered confidential (e.g., employee grade, vacation balances).
• Bechtel's network infrastructure is aging and prone to "brown-out" periods of slow response. Although we knew this would improve, our initial implementation dates were well ahead of the network upgrade schedule.

It was our conclusion that these technical problems could be most effectively and elegantly solved by a "light client" client-server application architecture for the OLTP components of the application.

Client-Server Flavors

Below we describe some of the different approaches to client-server, and high-light the advantages and disadvantages of each as they applied to our business scenario.

"Traditional" Client-Server

The "traditional" client-server architecture depicted in Figure 1 was the first architecture we considered for BETR. We classify a "traditional" client-server architecture as a two-tier architecture with the following characteristics:

• The client application supports the user interface (window and form management).
• The client application supports the user interface logic (transaction control).
• The client application maintains data integrity and enforces business rules.
• The client application performs all validations, computation, and data transformations.
• The client application issues ad hoc data manipulation language (DML) to manipulate database information; i.e., "raw" INSERT, UPDATE, and DELETE statements.
• The database server is a data repository that provides concurrent access to information and simple integrity checks (e.g., referential integrity).

This approach is well suited for applications where flexibility is paramount. The database serves as a repository of information that can be accessed and maintained freely by a variety of application tools in a vendor-neutral manner.

Figure 1. Traditional client-server architecture

However, for transaction-intensive applications with a large installation base, the traditional client-server architecture led to several problems:

1. Server bottlenecks. The server must continually re-compile the ad-hoc SQL statements that are issued from the client applications. On a saturated machine, this takes CPU time away from the execute and fetch database operations that are critical for overall application performance.
2. Network bottlenecks. Even though SQL was designed with network traffic in mind, a fair amount of data still must move back and forth between the client and server systems when procedural validation, computation, or data transformation is performed.
3. Software distribution problems. If a bug is discovered in the client software that compromises data integrity, the new client software must be rapidly and thoroughly distributed to the entire user community. As the software's installation base increases in size, timely distribution becomes more difficult and expensive to perform and guarantee.
4. Multi-platform support problems. For users who are unable to use a graphical client, character mode application equivalents must be provided. This results in generation and maintenance of redundant code -- each business function must be implemented by each front-end application.
5. Security holes. If a malicious user gains access to the database, he or she could wreak havoc on the information contained within the tables.

Tiered Client-Server

A "tiered" client-server architecture solves some of the above problems by introducing a layer between the client application and the database server called the application server (see Figure 2):

• The client application provides the presentation layer with which the user interacts.
• The client application communicates with the application server via a business message that specifies an application-specific action which manipulates or retrieves information.
• The application server contains the bulk of the business logic needed to actually carry out the operation. It issues the necessary SQL statements to the database server to do so.
• The application server responds to a business message with a business error when an application constraint is violated.
• The database server is a data repository that provides concurrent access to information and simple integrity checks (e.g., referential integrity).

Figure 2. Tiered client-server architecture

Tiered client-server is more appropriate for OLTP-style applications because it offers:

1. Improved software management and control. Because validation logic and business rules are enforced on the application server, they can be strictly maintained by central personnel. If business logic changes, the changes can be immediately effected on the application server.

An upgrade to local software (and therefore re-distribution) need only be applied when a change is made to the application's overall functionality that requires a change to the user interface.

Post production risks are reduced because each business message can be tested independently of the user interface. The ensures that a business operation works under normal and abnormal conditions because it can be thoroughly tested with a wide variety of parameter values.

1. Shared business logic. Tiered client-server can reduce duplicate coding. Moving the system's business logic to the application server eliminates the need for redundant business functions in different presentation layers.

The client software is simply a presentation layer that allows the user to view and navigate the data, allows the user to send business messages, and informs the user of business errors.

1. Improved security. Although there is no way to guarantee complete security in any environment, tiered client-server architecture can reduce the security risks. The underlying database tables may be "buried" on a secure database server that may only be accessed via the application server.

Application users manipulate the database tables only indirectly, via business messages sent to the application server. Each business message is implemented in such a way that it raises a business error if a user attempts to perform an invalid operation.

At the time when we were performing technology selection and evaluation, getting into the "pure" three-tiered marked was prohibitively expensive and fairly complex. We were also unwilling to implement a "pure" three-tiered client-server architecture because it requires two distinct processing units, an application server and a database server.

The "Light Client" Approach

The "light client" client-server architecture (shown in Figure ) solves the two-processor problem of the tiered client-server architecture by using Oracle stored procedures to combine the application server and the database server in a single-processor environment.

Figure 3. "Light client" client-server architecture

In the "light client" client-server architecture, as in the tiered client-server architecture, the front-end component of the application is a presentation layer, and need only provide an effective application interface to the user. Unlike the tiered architecture, the bulk of the application's business functionality is implemented by the RDBMS engine itself.

As in tiered client-server, the two portions of the application communicate using business messages. Unlike the tiered architecture, the messages are issued directly from the client application to the database server.

The "light client" client-server architecture has all of the advantages of the tiered architecture, including simpler software distribution, reduction of duplicate software, and improved security. In addition:

1. "Light client" client-server can be implemented without complex, expensive transaction management middle-ware. The required components are an Oracle7 database and a GUI-builder that can interface with Oracle7's stored procedures.
2. "Light client" client-server reduces the network bottleneck. Though a network bottleneck can never be completely eliminated, either, this architecture minimizes reliance on the network (or other communication path).

By moving the bulk of the business logic to the server platform, operations the require complex data validation, lookup, summarization, or bulk-manipulation need never incur a network "hit." These operations are all encapsulated within the server-level logic. The client simply requests a business operation of the server, and the server handles the nuts and bolts of getting the job done.

1. "Light client" client-server reduces the database server bottleneck. Initially, it may seem that the "light client" client-server approach would create more of a server bottleneck than the traditional client-server architecture; however, this is not the case. Although the server machine does enforce the bulk of the business logic, the operations are combined together using PL/SQL, which is much more efficient than issuing the statements individually.

Bundling several operations together into a stored procedure (among other things) reduces the number of external-to-internal and internal-to-external datatype conversions that are required for individual operations -- these conversion operations involve network traffic and are relatively expensive.

1. "Light client" client-server only requires one machine to implement both application and database servers.

Risks

Pursuing the "light client" client-server architecture in favor of the traditional or tiered client-server architectures is not without risk:

1. By moving from ANSI-standard SQL to Oracle's proprietary PL/SQL, we have become vulnerable to the problems of a proprietary development product, including:
   • A smaller and more specialized technical resource pool, from which it may be difficult or expensive to hire.
   • Reliance on a single vendor (Oracle) who controls the development tools, product maintenance and enhancement, and technical support.
   • Varying degrees third-party support of the "non-standard" extensions to the SQL language.
2. The "light client" client-server architecture is technically quite simple; however, implementing it may be a difficult management and coordination task:
   • The architecture is highly "interface oriented" by nature. Defining the proper interfaces is critical to successful implementation of the final system, as failure to do so results in expensive changes to all components.
   • Because we intended to use several different resources to develop the application systems, all involved parties had to thoroughly understand and agree upon the interface between each component. Front-end developers must rely upon the server performing as specified, and server developers must address all needs of the front-end systems.

Implementation

Once the high-level design and analysis of BETR was complete, we performed detailed designed and implemented BETR over a period of three to four months. We had two development teams with distinctly different skill sets:

• Our front-end team consisted of two SQLWindows developers with a high-level understanding of the application system and extensive experience in user-interface design.
• Out server team consisted of two Oracle developers with experience in PL/SQL and a detailed understanding of the business logic requirements.

Development Process

We used the following general process for development of BETR:

1. Define the application system's entity-relationship diagram and functional hierarchy diagram. Determine the business functions which the application is intended to implement. We performed these during our application analysis and high-level design stage.
2. Define the business messages that are required to implement each function. Each business message should be an atomic unit of work that leaves the database in a consistent state whether it succeeds or fails.
3. The two development teams performed this in several joint application design sessions where we hashed out physical implementation issues and agreed upon the stored procedure interfaces between the front-end and the server.
4. Create the tables and views needed for data access by the front-end. Write pseudo-code for each business operation. Implement each as a stub procedure.
5. Once this step was complete, the front-end and server development teams were able to work independently:
   • The server team implemented the stored procedure logic for each business message. They were able to efficiently unit-test the implementation each business message, using a script-based method.
   • The front-end team implemented the front-end user interface using the necessary database tables and stubbed procedure definitions. They were able to perform user-interface acceptance tests and test navigation and error handling without the need for a fully-functional server component.
6. Finally, we combined the front-end and back-end components of the application and perform complete system testing.

True to our expectations, the development of the front-end and back-end portions of the application can be performed in parallel once we had agreed upon the interface specifications.

Partitioning

The key to a successful design for any client-server system is balance, or application partitioning. For our application, "traditional" client-server, where most of the logic resides in the client workstation, was too client-intensive. On the other hand, using a tiered architecture with all the application's logic on the server would have made our application too server-intensive.

Rules of Thumb

It became apparent that we needed to develop some guidelines for partitioning our application. We decided on the following rules of thumb for identifying where we would place application code:

Table 1. Our "Rules of Thumb" for application partitioning

        Client                   Server                  Reasoning         

An operation that       A "business message,"     Greater security &       
changes control or      i.e., an operation that   control at               
set-up structures in    changes or creates        server-level.            
the database, such as   transaction data in the   Performance gain for     
modifying a             database, such as saving  pre-compiled & cached    
manager-employee        modifications to a time   PL/SQL                   
relationship.           record.                                            

A simple "generic"      An operation that         Client can best handle   
validation, such as     performs non-trivial      type checking.           
ensuring proper         information validation    Allows consolidation of  
datatype or size.       on a transaction, such    business logic at        
                        as ensuring that time     server.                  
                        record meets payroll      Packaged PL/SQL has      
                        integrity checks.         "fast" access to         
                                                  database; no network     
                                                  traffic.                 

"Ad hoc" operations     An operation that         PL/SQL has primitive     
that involve            involves fairly static    dynamic SQL              
dynamically generated   SQL.                      capabilities.            
SQL.                                              Performance benefit due  
                                                  to pre-compilation of    
                                                  PL/SQL is lost.          

An operation that       An operation that         Shields database         
requires relatively     requires complicated      complexity from          
simple SQL.             SQL.                      application programmer.  
                                                  "API"-style approach     

Operations that         Operations that           Centralized security     
manipulate "unsecured"  manipulate "secure"                                
objects.                objects.                                           

Obviously, it was crucial to determine:

• Which components could be considered "business messages"; i.e., are fairly static, repetitively invoked, and commonly used. We discovered that not only were transactions appropriate to be moved to the server, but also repetitively invoked queries, such as list-of-values operations.

  For example, our application had transactions such as SignTimesheet and ApproveTimesheet (representing electronic employee signature and approval signature) that were clear candidates for server implementation.

  A query that became a server-based component was ListValidChargeCodes, which produced a list of valid time charges based on the employee's current project assignment.

• Which components might be likely to change frequently due to policy or legal requirement changes. We decided that these should, for the most part, be located on the server where centralized administration was easy to perform.

  For example, we knew that our payroll validations could be fairly pliable, so the business action VerifyTimesheet was implemented on the server.

• Which components require centralized security. These would obviously migrate to the server.

  Because of government audit requirements, each change to a time record had to be recorded, so the SaveTimesheet procedure that stored time record information in database tables was a clear candidate for centralized implementation.

Physical Implementation

There were several issues that we dealt with once we began the real work of implementing the system.

Oracle

Each transaction or "business message" was implemented as an Oracle stored procedure. All of our stored procedures were packaged to maintain code modularity.

Most "read" and "populate" operations are performed using client-issued SQL that executes directly against database tables. In some cases, we have implemented stored procedures to generate a list-of-values. We did so when we felt that:

• The underlying database structure was sufficiently complex to warrant masking the complexity from front-end application programmers.
• The "list" operation was common and likely to be performed repeatedly by many on-line users.
• There was a possibility of generating a "run-away" query that could affect server performance.

The underlying database tables, views, and packages were created in a "secure" database account. Public synonyms were created for those objects that needed to be "readable" to a user of the system. Each user has an individual Oracle account, to which object and system privileges are granted to a user via an Oracle role.

Error Handling

We implement our business errors as real Oracle exceptions using the RAISE_APPLICATION_ERROR PL/SQL pragma. This halts application flow and uses a standard exception mechanism to propagate the error out to the front-end.

The system relies on Oracle's statement-level rollback to undo any work that had been performed up until the point that an error was detected, which greatly simplified much of our application programming. In addition, it makes the system "safe" in that each statement either completely succeeds or completely fails, leaving the database in a consistent state.

This has proven quite effective; however, this approach does have its limitations. Specifically, only fatal errors can be reported using RAISE_APPLICATION_ERROR; we had to build a separate mechanism to report warning messages.

SQLWindows

We used Gupta SQLWindows to implement the graphical front-end applications. We created functional classes that mirrored the packages created in the database, mapping each procedure in the package to a function for the class. It allowed us to:

• Write the stored procedure invocation code once, test it, then use the compiler to type-check for us whenever we called it from somewhere in the application.

• Dummy up result sets and actions for user interface testing before the Oracle stored procedures were completed.

For those procedures that returned result sets to the application (e.g., procedures that produce list-of-values), we used PL/SQL tables to populate SQLWindows arrays. Where more than one set of values was required, we used parallel arrays to retrieve values. Some words of caution here:

• You can pass at most 32K worth of information back and forth through any single array. This is determined by the maximum size of the PL/SQL variable.

  For example if you declare a PL/SQL table of VARCHAR2(1024), you'll be able to pass at most 32 items back and forth. (We actually discovered that it is somewhat less -- probably due to book-keeping information hidden somewhere.)

• When passing tables of VARCHAR2's from SQLWindows to Oracle, beware of a bug in the Gupta Router that embeds CHR(0) within the string and pads it out to the maximum width. For example, a table of VARCHAR2(10) whose first element contained "foobar" would reach Oracle looking like "foobar*%%%", where '*' is CHR(0) and '%' is CHR(32), a space.

  To get around this one, we had to create a clean-up function within Oracle to properly convert the strings.

• Beware of subtle bugs in Gupta's Router when dealing with NULL values (reading the release notes and unfixed bug list is well worth it!).

Be aware that SAL's SqlPLSQLCommand function always invokes the Oracle Call Interface routine odessp before running a stored procedure. Odessp itself invokes another Oracle stored procedure that queries the data dictionary to describe the target stored procedure's interface. The Router does this to ensure that the SQLWindows data types can be converted properly to Oracle datatypes; however, this effectively creates two stored procedure calls for each invocation of SqlPLSQLCommand.

Non-Windows Support

We used Oracle SQL*Forms 3.0 to implement the character based front-end applications. The character based front-end application runs as a host-mode application. Although we had originally planned to allow for a separate, dedicated machine to run the SQL*Forms application, both the RDBMS and SQL*Forms currently run on the same machine.

Lessons Learned

BETR has been a production system since September, 1994. During the past eight months we have learned quite a deal about deploying a custom application throughout the enterprise.

Tuning and Performance

Before production rollout, we did an extensive load test of the application system. This fairly easy to do because all of our transactions were encapsulated as stored procedures.

We wrote a simple SQLWindows application that opened multiple sessions with the server and issued a fixed set of transactions in a round-robin style. We ran the application on several PCs and were able simulate 200 concurrent users issuing a fairly standard set of transactions. From this, we gathered performance statistics (and discovered a number of Oracle and operating parameters that had been set too low!).

Since the initial benchmark of the system, we perform routine monitoring of our application server's resource usage. To date, we have supported 150 concurrent users (of about 2,500 named) on a DEC2100 single-processor machine without significant performance degradation. We plan to continue our rollout to support 8,000 named users with this machine, and estimate that this will result in about 500 concurrent sessions.

Deployment

We have chosen to deploy the application in a networked fashion. In other words, the application's executables and SQLWindows run-time DLLs reside on a network file server from which client workstations run the application. Bechtel's network topology is such that roughly 50 to 75 PCs are supported by a single file server. Although this does incur a significant performance penalty for individual users, it has allowed us to quickly and efficiently re-deploy the application throughout the company when performing upgrades and maintenance. As the application stabilizes and software replication technology matures, we will begin to experiment with locally-installed configurations.

Application Maintenance

Through that period we've seen several upgrades and enhancements that are classified below:

Table 2. Release Categories

  Category          Description          Frequency          Impact          

Major        Application re-write.      None yet!   Synchronized            
Release                                             re-distribution of      
                                                    client application and  
                                                    update of centralized   
                                                    database logic.         

Minor        Significant enhancement    Once per 4  Synchronized            
Release      of overall functionality   months      re-distribution of      
             (e.g., a new screen or                 client application and  
             other major new                        update of centralized   
             features).                             database logic.         
             Significant user                                               
             interface change.                                              

Maintenance  Minor enhancement of       Once per 2  Re-distribution of      
Release      functionality (e.g., a     months      client application.     
             new report).                                                   

Patch        Bug fixes, policy          Once per    Update of centralized   
             changes, legal             month       database logic.         
             requirements.                                                  

Minor Releases

Upgrades that require coordinated rollout of client application software and database-level changes are both the most difficult and highest-risk. It involves operations personnel to distribute the client software throughout the campus, as well as DBA personnel to run upgrade scripts.

The interface between the client and server components require that both be synchronized properly or the application will not function. (This has actually worked to our benefit in that it is an easy way to ensure that users are always running the most current version of the application.)

Roll-back of a "failed" upgrade is difficult because not only must old client software be re-distributed, but database software must be "downgraded" as well.

Maintenance Releases

These are easier to perform than minor releases, but still require propagation of client software throughout the campus.

Patches

Patches are by far the easiest to implement and occur fairly frequently. These require update to server logic for changes to company policy, etc. The beauty of the centralized business logic truly shows here when we are able to "invisibly" update the application logic by simply re-compiling a few Oracle packages.

The ability to perform server-only patches to the stored procedure code has proven to be a real "win" with our system.

Component Re-Use

One of our initial goals with BETR was to create a code base that could be easily and quickly re-used with other similar "corporate transaction gathering" applications. We are currently in the process of designing and developing an expense reporting application in which we hope to re-use some of the BETR PL/SQL code.

To date, we have had mixed success in re-using the packaged PL/SQL code in other applications. Unlike SAL or C++, PL/SQL's ability to dynamically generate and execute SQL is clumsy, at best. Forsaking dynamic SQL implies that any modification to a SQL statement requires duplication of the entire statement, or addition of "clever" WHERE conditions that both cloud application logic and reduce performance.

Although we will be able to re-use some of the PL/SQL procedures, we will not be able to recycle as much code as we had originally hoped.

Summary

We have been pleased with the success of our "light client" client-server architecture, and feel that it has lived up to most of our design expectations:

• To date, the architecture has supported the OLTP components of the BETR system very well. It appears to be scaling-up wonderfully as we add new users, and has required far less hardware than we initially predicted.
• The architecture was highly successful in supporting multiple interface layers; to date, we've implemented both graphical and character-based user interfaces. We are in the process of analyzing optical character recognition and voice response interfaces, and feel that either could be accommodated fairly easily.
• The architecture has allowed some success in re-using components in different application systems. PL/SQL has proven to be less pliable than we had initially hoped, but provides a robust and feature-complete development environment.
• The centralized architecture has proven to be highly secure, and successfully survived a DCAA audit. It has been extremely easy to administer: to date, we've needed less than a half-dozen client software updates -- almost all of our software updates have been made to centrally located server-based code.
• The architecture has proven to be quite network independent. The application runs with imperceptible degradation over the 56kbps segments of Bechtel's wide-area network, and performs acceptably over a 14.4kbps modem line.

Key Risks

Because of the complexity of coordinating and managing several separate development teams, a "light client" client-server application requires careful and thorough interface design before implementation begins. Interface changes after production rollout result in costly re-distribution of client software.

Key Benefits

In comparison to a traditional client-server architecture, application performance is improved, hardware and network load are reduced, distribution and maintenance costs are lowered, and security is increased by using a "light client" client-server architecture.

• The server requirements for an OLTP application implemented with the "light client" client-server architecture are less than those for other client-server architectures.
• Network traffic is strictly controlled in the "light client" client-server architecture, reducing the network-dependence of a comparable system implemented with another client-server architecture.
• Software distribution and maintenance costs are lower for an application implemented with the "light client" client-server architecture than for a comparable system implemented with a traditional client-server architecture because the "must-do" software maintenance is performed on a centrally maintained platform.
• Security risks are minimized. Users only have indirect access to data via the pre-defined business operations, which control and validate a user's actions.

The "light client" client-server architecture provides an elegant and effective method for implementing applications with a large installation base, transaction-intensive nature, and focused functional architecture.