Platform capabilities

Cloud implementations

HeartAI deploys to Microsoft Azure and implements modern and best-practice cloud technologies. Instances of HeartAI are often contained within corresponding Microsoft Enterprise Agreements as a subscription that bounds management, resource use, and billing. This allows HeartAI to deploy onto a corresponding Microsoft Azure Active Directory (AAD) tenancy. The system deploys to instances of Azure Virtual Networks. These networks are strictly private with no exposure of system endpoints to the public internet. The system deploys instances of Azure Key Vault as a sensitive data store, Azure Red Hat OpenShift for service orchestration, Azure Database for PostgreSQL as a managed data service, Azure Storage for general and secure cloud storage, Azure Monitor for near-real-time logging and monitoring, Azure Private DNS provides internal name resolution, Azure Network Watcher for logging and monitoring of network instances, Azure Network security groups for network traffic control, Azure DDoS Protection Standard as a modern denial-of-service mitigation framework, Azure Sentinel as an integrated and intelligent security information and event management stack, and Azure Defender for security alerts and advanced threat protection. Cloud resources are managed with the declarative Terraform infrastructure as code software tool. System resources of HeartAI are scalable, maintainable, cost-effective, and represent an implementation of best-practice hyper-converged infrastructure.

Cloud implementations

Further information about HeartAI cloud implementations may be found with the following documentation sections:

Operational implementations

HeartAI operational environments are cloud-native and compose containerised and/or virtualised components. These approaches allow a natively distributed deployment of operational components, where these components may be dynamically scaled to meet resource demand. Current orchestration software includes Red Hat OpenShift, Kubernetes, and Docker Compose, with container technologies provided by Docker and Podman. The primary system deployment implements Microsoft Azure Red Hat OpenShift, which provides a fully-managed of instance of Red Hat OpenShift on Microsoft Azure. OpenShift natively supports many popular technology frameworks.

For operational implementations, HeartAI endeavours to provide modern and robust security profiles. Operational orchestration with Microsoft Azure Red Hat OpenShift provides an increased ability to meet demanding security requirements. As a platform extension to Red Hat OpenShift instances, Red Hat Advanced Cluster Security (RHACS) is a Kubernetes-native security platform that provides best-in-class security integrations and solutions for container-based environments. RHACS security capabilities ensure that Kubernetes-based infrastructure is continuously protected and secure.

HeartAI instances of Red Hat OpenShift are integrated with cloud-native operational logging, monitoring, and observability software. Prometheus provides monitoring of systems and services, and Alertmanager implements event-triggered system behaviour. Grafana provides a real-time observability solution, with various adaptors to interface with data and metrics providers, allowing this data to be processed and visualised through reporting and user application dashboards.

Network implementations

HeartAI deploys to virtual networks with implementations that are provided by Microsoft Azure. Network instances typically deploy through a hub-spoke network topology with the hub instance implemented with Azure Virtual WAN (vWAN) with connectivity through virtual network peering between the virtual network and Azure vWAN hub instances. This allows HeartAI to deploy into existing organisational network topologies that implement an Azure vWAN hub with a well-defined connectivity mechanism. HeartAI network implementations are often private networks, and with the additional application of virtual network traffic routing this enforces network traffic to route through the corresponding organisational network topology to ensure that appropriate logging, monitoring, and access control is achieved.

HeartAI deploys supporting functionalities including Azure Private DNS to provide internal name resolution, Azure Network Watcher for logging and monitoring of network instances, and Azure Network security groups for network traffic control. HeartAI services do not expose network endpoints to the public internet - Service network resolution occurs internal to the HeartAI network or through private network extension.

HeartAI instances of Red Hat OpenShift provide native support for network management through first-class software-defined networking (SDN). This allows the OpenShift environment to operate as a virtual private cloud with OpenShift namespaces that are effectively separated from each other by tunnelled overlay network VXLAN. These implementations are natively provided by OpenShift integration with Open vSwitch. OpenShift allows location transparent name resolution to occur across a distributed cluster with name resolution provided with integrated CoreDNS instances. HeartAI typically deploys OpenShift through Microsoft Azure Red Hat OpenShift, such that OpenShift network instances are themselves virtualised as overlay networks on top of Azure virtual network instances.

HeartAI services are accessible through OpenShift service endpoint routes that are resolvable within the HeartAI domain and through the domains of extending networks. These endpoint routes provide network proxy to corresponding load-balanced reverse-proxies that are implemented with OpenShift services.

In addition to the SDN capabilities provided by OpenShift, HeartAI networking also implements OpenShift Service Mesh, providing advanced mechanisms for communication across services. The cloud-native service-mesh software Istio extends the OpenShift SDN with programmable and application-aware declarative network implementations. A core feature of Istio is the Envoy service proxy that is injectable as a sidecar into virtual IP hosts of the OpenShift SDN. Istio provides general approaches for network deployments, routing, traffic management, telemetry, and security. The management console Kiali provides capabilities for configuration, eventing, metrics, visualisation, and validation of network deployments that are implemented with Istio. Kiali allows for the display of service mesh structure by inferring traffic topology and health status. Kiali also provides native integration for the Grafana observability platform, and the Jaeger distributed tracing software.

Encryption over TLS occurs wherever possible for internal and external network communication. For example, service instances may communicate with each other via TCP over TLS, HTTPS, or WebSockets Secure. Similarly, backing services, such as persistent data stores, communicate with service instances through these mechanisms. Encryption also occurs for communication within OpenShift environments between the system control plane and compute nodes as well as between system components. The combined functionality of these approaches allows HeartAI network instances to be implemented as zero trust networks. The HeartAI OpenShift environment provides automated approaches for certificate issuance and management. This is primarily managed with the certificate management software cert-manager. cert-manager automates the issuance of certificates by utilising the ACME protocol, which also supports certificate rotation and revocation.

Network implementations

Further information about HeartAI network implementations may be found with the following documentation sections:

Identity and access management

HeartAI provides consolidated identity and access management by implementing the Keycloak platform. Keycloak integrates an authorisation service with OAuth 2.0, an identity service with OpenID Connect, and provides advanced identity and access features such as single sign-on (SSO), multi-factor authentication (MFA), identity brokering, and federated identity. Authentication with OpenID Connect allows identity brokering through the OpenID Connect and SAML, and identity federation through Kerberos and LDAP.

Users typically interact with HeartAI applications and services through well-defined endpoints that manage authentication and authorisation in an integrative way. For HeartAI web-based applications, this involves single-sign on functionality with information about the authentication state securely stored within a web browser session. For HeartAI service endpoints, the user is often required to manually interact with a HeartAI Keycloak server instance to retrieve an access token to then include this token in the request to a service endpoint. Throughout either approach, the application or service will further confirm the validity of the user identity and access token, such as the token having the correct role or group assignments, the token expiry time, the correct digital signatures, and will accept or reject each token on a per-request basis.

The ability to broker and federate identity provides additional capabilities with HeartAI deployments within host organisations. These approaches allow the user of a host organisation to authenticate with a HeartAI Keycloak instance by deferring authority to the identity provider of the organisation. For example, with the HeartAI deployment to the SA Health digital environment, SA Health users may authenticate with the corresponding HeartAI Keycloak instance by providing their SA Health Health Active Directory (HAD) identity credentials. Further, if the user is logged into a current Active Directory session, this login process is automated. These approaches are particularly important for maintaining process management and governance within a host organisation, where HeartAI can defer to the authority of these processes through identity brokering or identity federation. In this way users may have their scope of permissions defined by the host organisation and these permissions will be mapped through a HeartAI Keycloak instance to within the corresponding HeartAI environment.

Identity and access management

Further information about the HeartAI identity and access implementation may be found with the following documentation sections:

Service architecture

HeartAI services implement reactive microservices architectures and follow concepts from The Reactive Manifesto. Many architectural concepts of the system may be considered as reactive design patterns and event-driven architectures. The overall composition of these services creates the service-level application software of HeartAI. Services often represent domain models and bounded contexts, for example the HIB interface service implements domain functionality specific to the interface to the SA Health Health Information Broker (HIB). From the perspective of software design, service boundaries are bounded contexts and the state of domain entities are represented as corresponding aggregate roots. From the perspective of computational resource usage a service often implements delimited consistency to define a logical computation boundary. The Lagom Framework provides service abstractions, the Play Framework provides web services, and Akka provides an actor-based concurrency model. These approaches allow for robust message passing and event-driven architectures, providing systems that are extensible, scalable, reactive, performant, secure, resilient, and tolerant to failure.

HeartAI services provide:

  • Data architectures with performant persistence mechanisms that support event sourcing and CQRS, with a decomposition of write-side and read-side responsibilities. Write-side persistence optimises for high-throughput and low-latency transactions. Read-side persistence optimises for dynamic and performant query operations.

  • Decoupled inter-service communication, often through implementing a publish-subscribe message bus paradigm of data communication. These approaches allow services to communicate by translating message bus streaming layers into natively supported Akka Streams software streaming layers. Through these approaches, HeartAI services support the Reactive Streams specification including support for non-blocking backpressure propagation. The composition of these service functionalities allow the overall system to be elastic.

  • Application Programming Interface (API) layers that implement standard communication protocols. Current supported interfaces are: RESTful HTTP / HTTPS, WebSockets / WebSockets Secure, and Apache Kafka message bus endpoints. The current implementation primarily supports JSON and CBOR data encoding, however capability also exists for additional encoding formats.

Service architecture

Further information about the HeartAI service implementation may be found with the following documentation sections:

Development experience

HeartAI provides supportive environments to assist developers and contributors. A readily deployable developer environment is managed through Docker Compose, allowing transportable and reproducible development system deployments. Unit and integration testing frameworks are provided by ScalaTest and Akka Testing. Source contributions are managed through Git and GitHub source control management software. The HeartAI GitHub repository is integrated with GitHub Actions, providing mechanisms to test, package, and deploy source software to the HeartAI production environment. System resources are deployed to the HeartAI OpenShift cluster through integration with the OpenShift GitOps Operator. A core component of this process is the management of cluster resources with Argo CD. These approaches allow the validation and deployment of resources to occur through the GitHub managed review and deployment processes, and provide a supportive framework to encourage developer and contributor productivity and experience.

Deployment experience

Further information about the HeartAI deployment implementation may be found with the following documentation sections:

Analytical capabilities

HeartAI extends robust data systems with modern and high-performance analytical capabilities, including support for state-of-the-art probabilistic computation and machine learning methodologies. These capabilities allow for conventional data reporting and analytics through to real-time artificial intelligence and learning systems. HeartAI analytical capabilities allow for real-time analytics including prediction, decision support, and optimisation.

For probabilistic computation, HeartAI implements Stan as a powerful probabilistic programming language and high-performance statistical computation library. Stan provides extensive support for probabilistic programming constructs and modern Markov chain Monte Carlo (MCMC) optimisation methods, including Hamiltonian Monte Carlo and no-U-turn sampling (NUTS) optimisation approaches.

For machine learning methodologies, HeartAI implements conventional XGBoost regularising gradient boosting frameworks, and further extends with modern deep learning approaches using PyTorch with the Python programming language.

As a representative example of the implementation capabilities of HeartAI, consider the proposed HeartAI implementations for RAPIDx AI. The RAPIDx AI project will deploy an AI-based diagnostic algorithm for patients with potential Type I or Type II myocardial infarction and myocardial injury within the emergency departments (EDs) of six South Australian hospitals, and will provide protocolised recommendations for medical management of these patients.

Analytical capabilities

Further information about HeartAI analytical capabilities may be found with the following documentation sections: