Software Requirements Specification (SRS)

ระบบผู้ดูแลระบบ - โรงพยาบาลจังหวัด

Document Version: 2.1 (Template-Standardized Edition)
Date: 28 สิงหาคม 2568
Project: Hospital Information System - System Administration Module
System Code: SYS_ADMIN
Target Hospital: โรงพยาบาลระดับจังหวัด (500+ เตียง, 100+ ผู้ใช้พร้อมกัน)
Technology Stack: Next.js 14, TypeScript, Nest.js, PostgreSQL 15+, Prisma ORM
Based on: TOR ระบบผู้ดูแลระบบ และ SRS Template Standard v1.0

Dependencies:
- Foundation system for all MediTech modules
- Provides authentication, authorization, and audit services to:
- EMR_CORE, APPT_QUEUE, ER_SYSTEM, OPD_CPOE, CENTRAL_LAB, PATHOLOGY
- RADIOLOGY, IPD_SYSTEM, PHARMACY, FINANCIAL, REFERRAL

📋 Table of Contents

บทนำและขอบเขตโครงการ
ความต้องการเชิงหน้าที่ (Functional Requirements)
ความต้องการด้านประสิทธิภาพ (Performance Requirements)
ความต้องการด้านความปลอดภัย (Security Requirements)
ความต้องการด้านการเชื่อมต่อ (Integration Requirements)
ความต้องการด้านการใช้งาน (Usability Requirements)
ความต้องการด้านการปฏิบัติตามกฎระเบียบ (Compliance Requirements)
ข้อกำหนดทางเทคนิค (Technical Specifications)
การทดสอบและประกันคุณภาพ (Testing & Quality Assurance)
เอกสารและรายงาน (Documentation & Reporting)
การติดตั้งและการนำไปใช้ (Implementation & Deployment)
การบำรุงรักษาและสนับสนุน (Maintenance & Support)
การติดตามและประเมินผล (Monitoring & Evaluation)
การจัดการความเสี่ยง (Risk Management)
การฝึกอบรมและการเปลี่ยนแปลง (Training & Change Management)
สรุปและการอนุมัติ (Summary & Approval)
ภาคผนวก (Appendices)

1. บทนำและขอบเขตโครงการ

1.1 วัตถุประสงค์ของเอกสาร

เอกสารนี้กำหนดความต้องการทางซอฟต์แวร์สำหรับระบบผู้ดูแลระบบ ซึ่งเป็นระบบพื้นฐาน (Foundation System) ของ MediTech HIS ecosystem ที่ให้บริการจัดการผู้ใช้งาน, ความปลอดภัย, การกำหนดค่า, และการบันทึกการตรวจสอบ (Audit Trail) ตามเอกสาร TOR ที่ครอบคลุม:

การจัดการผู้ใช้งานและบทบาท (User & Role Management)
ระบบความปลอดภัยและการยืนยันตัวตน (Security & Authentication)
การกำหนดค่าคอนฟิกระบบ (System Configuration)
การบันทึกและตรวจสอบการใช้งาน (Audit Trail & Compliance)
การเชื่อมต่อกับระบบภายนอก (External System Integration)

1.2 ขอบเขตของระบบ

ระบบที่รวมอยู่ใน Scope:

User Account Management (การจัดการบัญชีผู้ใช้งาน)
Role-Based Access Control (RBAC) (การควบคุมสิทธิ์ตามบทบาท)
Multi-Factor Authentication (MFA) (การยืนยันตัวตนหลายชั้น)
Digital Signature Management (การจัดการลายเซ็นดิจิทัล)
System Configuration Management (การกำหนดค่าระบบ)
Audit Trail & Logging (การบันทึกและตรวจสอบ)
Foundation APIs for all MediTech modules
Master Data Management (Departments, Positions, Permissions)
Session & Token Management (JWT + Refresh Token)
Compliance Monitoring (PDPA, Healthcare Standards)

ระบบที่อยู่นอก Scope:

การจัดการเนื้อหาทางคลินิก (อยู่ในโมดูลเฉพาะ)
การจัดการข้อมูลผู้ป่วย (อยู่ใน EMR_CORE)
การจัดการทรัพยากรโรงพยาบาล (Infrastructure Management)
การจัดการคลังข้อมูล (Data Warehouse Management)

1.3 คำจำกัดความและคำย่อ

คำศัพท์	คำจำกัดความ
RBAC	Role-Based Access Control - การควบคุมสิทธิ์ตามบทบาท
MFA	Multi-Factor Authentication - การยืนยันตัวตนหลายชั้น
JWT	JSON Web Token - โทเค็นสำหรับการยืนยันตัวตน
LDAP/AD	Lightweight Directory Access Protocol / Active Directory
RFID	Radio Frequency Identification - ระบบบัตรความถี่คลื่นวิทยุ
Session	ช่วงเวลาการเข้าใช้ระบบ
Audit Trail	ร่องรอยการตรวจสอบการใช้งาน
Digital Signature	ลายเซ็นดิจิทัลที่มีความน่าเชื่อถือทางกฎหมาย
PDPA	Personal Data Protection Act - พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล
API	Application Programming Interface - ส่วนติดต่อการเขียนโปรแกรม
Guards	Nest.js Security Guards - ตัวป้องกันความปลอดภัย

1.4 การอ้างอิง

TOR ระบบผู้ดูแลระบบ (System Administration Module) v2.0
SRS Template Standard v1.0 (MediTech)
TOR Relationship Analysis v1.0 (System Architecture Overview)
MediTech Overall System Architecture
Database Schema Standards (schema.md)
API Design Guidelines (Foundation APIs)
PDPA Compliance Framework
Healthcare Security Standards (ISO 27001, HIPAA-like)
JWT Authentication Standards (Nest.js + Passport.js)
Role-Based Access Control Best Practices
Digital Signature Standards (Legal Compliance)

1.5 ภาพรวมของเอกสาร

เอกสารนี้แบ่งออกเป็น 17 หมวดหลัก ครอบคลุมตั้งแต่ความต้องการเชิงหน้าที่ ไปจนถึงการนำไปใช้และบำรุงรักษา โดยเน้นการเป็นระบบพื้นฐานสำคัญ ที่ให้บริการจัดการผู้ใช้งาน, ความปลอดภัย, และการตรวจสอบสำหรับระบบทั้งหมดใน MediTech ecosystem

2. Overall Description

2.1 Product Perspective

The System Administration Module integrates with all MediTech HIS components:

┌─────────────────────────────────────────────────────────────┐
│                System Administration Module                  │
├─────────────────────────────────────────────────────────────┤
│  User Management │ Security Admin │ System Config │ Audit   │
└─────────────────────────────────────────────────────────────┘
                                │
                    ┌───────────┼───────────┐
                    │           │           │
            ┌───────▼────┐ ┌────▼───┐ ┌────▼──────┐
            │    EMR     │ │  CPOE  │ │   eMAR    │
            │  System    │ │ System │ │  System   │
            └────────────┘ └────────┘ └───────────┘
                    │           │           │
            ┌───────▼────┐ ┌────▼───┐ ┌────▼──────┐
            │ Laboratory │ │ Imaging│ │ Pharmacy  │
            │   System   │ │ System │ │  System   │
            └────────────┘ └────────┘ └───────────┘

2.2 Product Functions

Major functions include: - User Lifecycle Management: Account creation, modification, deactivation - Role-Based Access Control: Hierarchical permission management - Multi-Factor Authentication: RFID, biometric, smart card integration - Digital Signature Management: Legal-compliant electronic signatures - System Security: Network access control, device management - Configuration Management: Hospital-wide system settings - Audit and Compliance: Comprehensive activity logging and reporting

2.3 User Characteristics

Primary user types:

User Type	Role	Technical Expertise	Primary Tasks
System Administrator	IT Management	Expert	Full system control, user management
Security Officer	Information Security	Advanced	Security policy enforcement
Department Head	Clinical Leadership	Intermediate	Staff access approval
Compliance Officer	Legal/Regulatory	Intermediate	Audit review, policy compliance

2.4 Operating Environment

Backend Platform: Nest.js (Node.js 18+ + TypeScript)
Frontend Platform: Next.js 14 + React 18 + TypeScript
Database: PostgreSQL 15+ with Redis 7+ (Caching/Sessions)
ORM: Prisma with Nest.js integration
Authentication: Nest.js JWT + Passport strategies
Web Browsers: Chrome 90+, Firefox 88+, Safari 14+, Edge 88+
Mobile Support: Responsive web design with PWA capabilities
Network: Hospital intranet with secure VPN access

3. System Features

3.1 User Management (การจัดการผู้ใช้งาน)

3.1.1 Description and Priority

Priority: High
Core functionality for managing healthcare staff accounts, roles, and organizational structure.

3.1.2 Functional Requirements

3.1.2.1 User Account Management - REQ-USR-001: System SHALL provide functionality to create new user accounts with mandatory fields: - Employee ID (unique identifier) - National ID (Thai 13-digit format validation) - Full name (Thai and English) - Department/Unit affiliation - Position/Title - Contact information (email, phone) - Employment status (active, inactive, suspended)

REQ-USR-002: System SHALL validate user information against hospital HR database
REQ-USR-003: System SHALL support bulk user import via CSV/Excel with validation
REQ-USR-004: System SHALL maintain user profile history for audit purposes
REQ-USR-005: System SHALL provide user search functionality with filters (department, position, status)

3.1.2.2 Role-Based Access Control (RBAC) - REQ-RBAC-001: System SHALL implement hierarchical role structure: - System Administrator: Full system access - Department Administrator: Department-level management - Clinical Supervisor: Clinical staff oversight - Doctor: Clinical decision-making access - Nurse: Patient care documentation - Pharmacist: Medication management - Laboratory Technician: Test result entry - Registration Staff: Patient admission/registration - Kiosk User: Limited self-service access

REQ-RBAC-002: System SHALL support role templates for common positions
REQ-RBAC-003: System SHALL allow custom role creation with granular permissions
REQ-RBAC-004: System SHALL implement role inheritance and delegation
REQ-RBAC-005: System SHALL support temporary role assignment with expiration

3.1.2.3 Department and Position Management - REQ-DEPT-001: System SHALL maintain organizational hierarchy - REQ-DEPT-002: System SHALL support multi-department user assignments - REQ-DEPT-003: System SHALL track position changes for workflow routing

3.1.3 System Responses

User creation confirmation with account details
Role assignment notifications
Validation error messages with specific field guidance
Bulk operation progress reporting

3.2 Permission and Access Control (การกำหนดสิทธิ์การเข้าถึง)

3.2.1 Description and Priority

Priority: High
Granular permission management across all system modules with audit capabilities.

3.2.2 Functional Requirements

3.2.2.1 Module-Based Permissions - REQ-PERM-001: System SHALL provide module-level access control: - EMR System (Electronic Medical Records) - CPOE System (Computerized Provider Order Entry) - eMAR System (Electronic Medication Administration Record) - Laboratory Information System - Radiology Information System - Pharmacy Management System - Queue Management System - Appointment System - Billing System

3.2.2.2 Function-Level Permissions - REQ-PERM-002: System SHALL support action-based permissions: - View: Read-only access to information - Create: Add new records/entries - Edit: Modify existing records - Delete: Remove records (with audit trail) - Approve: Authorize clinical orders/documents - Export: Download data in various formats - Print: Generate physical documents - Sign: Apply digital signatures

3.2.2.3 Permission Templates - REQ-PERM-003: System SHALL provide pre-configured permission templates - REQ-PERM-004: System SHALL allow template customization and saving - REQ-PERM-005: System SHALL support permission inheritance from templates

3.2.2.4 Dynamic Access Control - REQ-PERM-006: System SHALL implement time-based access restrictions - REQ-PERM-007: System SHALL support location-based access control - REQ-PERM-008: System SHALL provide emergency access override with justification

3.3 Authentication System (ระบบพิสูจน์ตัวตน)

3.3.1 Description and Priority

Priority: Critical
Multi-factor authentication system supporting various identification methods for healthcare environments.

3.3.2 Functional Requirements

3.3.2.1 Primary Authentication Methods - REQ-AUTH-001: System SHALL support username/password authentication with: - Minimum 8-character passwords - Complexity requirements (uppercase, lowercase, numbers, symbols) - Password expiration policy (90 days) - Password history prevention (last 12 passwords)

3.3.2.2 Multi-Factor Authentication - REQ-AUTH-002: System SHALL integrate RFID card authentication: - Employee badge scanning - Proximity card readers - Card validation against employee database

REQ-AUTH-003: System SHALL support biometric authentication:
Fingerprint scanning with template storage
Multiple finger enrollment for redundancy
Biometric template encryption
REQ-AUTH-004: System SHALL integrate Thai National ID smart card:
Smart card reader interface
PKI certificate validation
Government ID verification
REQ-AUTH-005: System SHALL support two-factor authentication combinations:
Password + RFID
Password + Fingerprint
RFID + Fingerprint
Smart Card + PIN

3.3.2.3 Authentication Policy Management - REQ-AUTH-006: System SHALL allow per-group authentication requirements - REQ-AUTH-007: System SHALL implement account lockout policies: - Maximum failed attempts (configurable, default 5) - Lockout duration (configurable, default 30 minutes) - Progressive lockout increases

REQ-AUTH-008: System SHALL maintain authentication logs with timestamps
REQ-AUTH-009: System SHALL support single sign-on (SSO) across modules

3.4 Network and Device Access Control (การจัดการการเข้าถึงตามเครือข่าย)

3.4.1 Description and Priority

Priority: High
Network-level security controls for device and location-based access management.

3.4.2 Functional Requirements

3.4.2.1 IP and MAC Address Control - REQ-NET-001: System SHALL validate IP address ranges: - Hospital network IP whitelist - Department-specific IP ranges - Remote access VPN validation

REQ-NET-002: System SHALL track MAC addresses for device identification
REQ-NET-003: System SHALL support device registration and approval workflow

3.4.2.2 Device Management - REQ-DEV-001: System SHALL maintain device inventory: - Workstation identification - Mobile device registration - Medical equipment terminals

REQ-DEV-002: System SHALL implement device locking mechanisms:
Automatic screen lock after inactivity
Remote device lock capability
Device-specific access restrictions

3.4.2.3 Location-Based Access - REQ-LOC-001: System SHALL support location-based restrictions: - Department-specific access - Nursing station limitations - Emergency area overrides

3.5 Digital Signature Management (ระบบจัดการลายเซ็นอิเล็กทรอนิกส์)

3.5.1 Description and Priority

Priority: High
Legal-compliant digital signature system for medical document authentication.

3.5.2 Functional Requirements

3.5.2.1 Signature Registration - REQ-SIG-001: System SHALL support multiple signature types: - PKI-based digital signatures (X.509 certificates) - Thai National ID card signatures - Biometric signatures (handwritten pad) - Hand-drawn electronic signatures

REQ-SIG-002: System SHALL validate signature authority:
Medical license verification
Position-based signing rights
Delegation approval chains

3.5.2.2 Document Signing - REQ-SIG-003: System SHALL enable signatures on medical documents: - Prescription orders - Medical certificates - SOAP notes - CPOE orders - Laboratory reports - Discharge summaries

REQ-SIG-004: System SHALL maintain signature integrity:
Cryptographic signature validation
Document tampering detection
Timestamp authority integration

3.5.2.3 Legal Compliance - REQ-SIG-005: System SHALL comply with Thai e-Signature Act - REQ-SIG-006: System SHALL provide signature verification for legal proceedings - REQ-SIG-007: System SHALL maintain long-term signature validity

3.6 System Configuration (การตั้งค่าระบบ)

3.6.1 Description and Priority

Priority: Medium
Centralized system configuration management for hospital-wide settings.

3.6.2 Functional Requirements

3.6.2.1 Hospital Branding - REQ-CFG-001: System SHALL allow hospital logo upload and management - REQ-CFG-002: System SHALL support hospital name and address configuration - REQ-CFG-003: System SHALL enable custom color schemes and themes

3.6.2.2 Security Settings - REQ-CFG-004: System SHALL provide configurable session timeout: - Default timeout: 30 minutes - Range: 5-120 minutes - Role-specific timeout settings

REQ-CFG-005: System SHALL configure password policies:
Length requirements
Complexity rules
Expiration periods
History limits

3.6.2.3 System Maintenance - REQ-CFG-006: System SHALL schedule automatic backups - REQ-CFG-007: System SHALL configure system maintenance windows - REQ-CFG-008: System SHALL manage system notifications and alerts

3.7 Advanced Features (ความสามารถพิเศษเพิ่มเติม)

3.7.1 Template Manager

REQ-TMP-001: System SHALL provide form template management for recurring forms and orders
REQ-TMP-002: System SHALL support template versioning and approval workflow
REQ-TMP-003: System SHALL allow template categorization by department, role, and module
REQ-TMP-004: System SHALL provide template usage analytics and optimization recommendations

3.7.2 Workflow Rule Editor

REQ-WF-001: System SHALL provide workflow rule configuration based on user roles and permissions
REQ-WF-002: System SHALL support conditional workflow routing with approval chains
REQ-WF-003: System SHALL enable creation of custom workflow rules for department-specific processes
REQ-WF-004: System SHALL support automated workflow triggers based on system events

3.7.3 Administrator Dashboard

REQ-DASH-001: System SHALL display system usage statistics
REQ-DASH-002: System SHALL show real-time system health monitoring
REQ-DASH-003: System SHALL provide alert notifications for system issues

3.7.4 API Key Management

REQ-API-001: System SHALL manage external API access keys
REQ-API-002: System SHALL track API usage and rate limiting
REQ-API-003: System SHALL provide API access audit trails

4. External Interface Requirements

4.1 User Interfaces

4.1.1 Web Interface Requirements

REQ-UI-001: Responsive design supporting desktop, tablet, and mobile devices
REQ-UI-002: Support for Thai and English languages
REQ-UI-003: Accessibility compliance (WCAG 2.1 Level AA)
REQ-UI-004: Dark mode support for night shifts
REQ-UI-005: Customizable dashboard layouts

4.1.2 User Experience Requirements

REQ-UX-001: Intuitive navigation with breadcrumbs
REQ-UX-002: Context-sensitive help system
REQ-UX-003: Keyboard shortcuts for power users
REQ-UX-004: Progressive disclosure of advanced features

4.2 Hardware Interfaces

4.2.1 RFID Reader Integration

REQ-HW-001: Support for standard RFID card readers (125kHz, 13.56MHz)
REQ-HW-002: USB and TCP/IP connectivity options
REQ-HW-003: Multiple reader support for workstations

4.2.2 Biometric Device Integration

REQ-HW-004: Fingerprint scanner compatibility (FBI PIV certified)
REQ-HW-005: Template extraction and comparison
REQ-HW-006: Liveness detection capabilities

4.2.3 Smart Card Reader Integration

REQ-HW-007: Thai National ID card reader support
REQ-HW-008: PKI certificate extraction
REQ-HW-009: Secure PIN entry capabilities

4.3 Software Interfaces

4.3.1 Database Interfaces

REQ-DB-001: PostgreSQL 15+ primary database connection
REQ-DB-002: Read-only connections to HR systems
REQ-DB-003: Integration with existing HIS databases

4.3.2 External System Interfaces

REQ-EXT-001: Hospital HR system integration for employee data
REQ-EXT-002: Active Directory/LDAP integration for user authentication
REQ-EXT-003: Email server integration for notifications
REQ-EXT-004: SMS gateway for mobile alerts

4.3.3 API Requirements

REQ-API-004: RESTful API with OpenAPI specification
REQ-API-005: JWT token-based authentication
REQ-API-006: Rate limiting and throttling
REQ-API-007: API versioning support

4.4 Communication Interfaces

4.4.1 Network Protocols

REQ-NET-004: HTTPS/TLS 1.3 for all web communications
REQ-NET-005: WebSocket support for real-time updates
REQ-NET-006: TCP/IP for hardware device communications

4.4.2 Security Protocols

REQ-SEC-001: OAuth 2.0/OpenID Connect support
REQ-SEC-002: SAML 2.0 for SSO integration
REQ-SEC-003: PKI infrastructure integration

5. Non-Functional Requirements

5.1 Performance Requirements

5.1.1 Response Time Requirements

REQ-PERF-001: User authentication SHALL complete within 2 seconds
REQ-PERF-002: User search results SHALL display within 1 second
REQ-PERF-003: Permission validation SHALL complete within 500ms
REQ-PERF-004: Dashboard loading SHALL complete within 3 seconds

5.1.2 Throughput Requirements

REQ-PERF-005: System SHALL support 500 concurrent users
REQ-PERF-006: System SHALL handle 10,000 authentication requests per hour
REQ-PERF-007: Batch operations SHALL process 1,000 records per minute

5.1.3 Capacity Requirements

REQ-PERF-008: System SHALL support up to 10,000 user accounts
REQ-PERF-009: System SHALL maintain 5 years of audit log data
REQ-PERF-010: Database SHALL handle 100GB of operational data

5.2 Security Requirements

5.2.1 Authentication Security

REQ-SEC-004: Multi-factor authentication for administrative accounts
REQ-SEC-005: Account lockout after failed login attempts
REQ-SEC-006: Session management with secure tokens
REQ-SEC-007: Password encryption using bcrypt/Argon2

5.2.2 Data Security

REQ-SEC-008: Data encryption at rest using AES-256
REQ-SEC-009: Data encryption in transit using TLS 1.3
REQ-SEC-010: PII data tokenization for sensitive information
REQ-SEC-011: Secure key management and rotation

5.2.3 Access Control Security

REQ-SEC-012: Principle of least privilege implementation
REQ-SEC-013: Regular access review and certification
REQ-SEC-014: Segregation of duties for critical functions
REQ-SEC-015: Administrative access monitoring and alerting

5.3 Reliability Requirements

5.3.1 Availability

REQ-REL-001: System SHALL maintain 99.5% uptime during business hours
REQ-REL-002: Planned maintenance windows outside business hours
REQ-REL-003: Maximum 4 hours recovery time for critical failures
REQ-REL-004: Database backup and recovery procedures

5.3.2 Error Handling

REQ-REL-005: Graceful degradation during partial system failures
REQ-REL-006: Comprehensive error logging and monitoring
REQ-REL-007: User-friendly error messages without technical details
REQ-REL-008: Automatic retry mechanisms for transient failures

5.4 Usability Requirements

5.4.1 Ease of Use

REQ-USE-001: New users SHALL complete basic tasks within 30 minutes of training
REQ-USE-002: Common tasks SHALL require maximum 3 clicks
REQ-USE-003: Context-sensitive help available on all screens
REQ-USE-004: Consistent interface patterns across modules

5.4.2 Accessibility

REQ-USE-005: WCAG 2.1 AA compliance for accessibility
REQ-USE-006: Keyboard navigation support
REQ-USE-007: Screen reader compatibility
REQ-USE-008: Color contrast ratios meeting accessibility standards

5.5 Scalability Requirements

5.5.1 User Scalability

REQ-SCALE-001: Architecture SHALL support horizontal scaling
REQ-SCALE-002: Database partitioning for large datasets
REQ-SCALE-003: Caching mechanisms for improved performance
REQ-SCALE-004: Load balancing for high availability

5.5.2 Data Scalability

REQ-SCALE-005: Audit log archiving and purging policies
REQ-SCALE-006: Data compression for historical records
REQ-SCALE-007: Index optimization for query performance

6. Technical Requirements

6.1 Backend Architecture (Nest.js)

6.1.1 Framework Requirements

REQ-TECH-001: Nest.js framework with TypeScript 5+
REQ-TECH-002: Modular architecture with feature modules (@Module decorators)
REQ-TECH-003: Dependency injection container with @Injectable services
REQ-TECH-004: Decorator-based development pattern (@Controller, @Get, @Post, etc.)

6.1.2 Database Integration

REQ-TECH-005: Prisma ORM with @nestjs/prisma integration
REQ-TECH-006: Database migration management with Prisma migrate
REQ-TECH-007: PostgreSQL connection pooling and optimization
REQ-TECH-008: Transaction management using Prisma.$transaction

6.1.3 Authentication and Security

REQ-TECH-009: Passport.js with @nestjs/passport integration (JWT, Local strategies)
REQ-TECH-010: JWT token implementation with refresh tokens using @nestjs/jwt
REQ-TECH-011: Rate limiting with @nestjs/throttler and Redis 7+
REQ-TECH-012: Input validation using class-validator and class-transformer DTOs

6.1.4 API Development

REQ-TECH-013: RESTful API design with @nestjs/common decorators
REQ-TECH-014: OpenAPI/Swagger documentation with @nestjs/swagger
REQ-TECH-015: API versioning strategy using @nestjs/common versioning
REQ-TECH-016: Error handling with built-in exception filters and guards

6.2 Frontend Architecture (Next.js)

6.2.1 Framework Requirements

REQ-TECH-017: Next.js 14 with App Router
REQ-TECH-018: TypeScript for type safety
REQ-TECH-019: Server-side rendering (SSR) capabilities
REQ-TECH-020: Static site generation where applicable

6.2.2 UI Components

REQ-TECH-021: Ant Design 5+ component library with Next.js 14 integration
REQ-TECH-022: Tailwind CSS 3+ for utility-first styling
REQ-TECH-023: Responsive design with mobile-first approach
REQ-TECH-024: Reusable components with TypeScript interfaces

6.2.3 State Management

REQ-TECH-025: Zustand for global state management
REQ-TECH-026: React Query for server state management
REQ-TECH-027: Form state management with react-hook-form
REQ-TECH-028: Local storage for user preferences

6.2.4 Integration Features

REQ-TECH-029: WebSocket integration for real-time updates
REQ-TECH-030: File upload and management
REQ-TECH-031: Print functionality for reports
REQ-TECH-032: Export functionality (PDF, CSV, Excel)

6.3 Database Design (PostgreSQL + Prisma)

6.3.1 Schema Design

-- Core user management tables
CREATE TABLE users (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    employee_id VARCHAR(20) UNIQUE NOT NULL,
    national_id VARCHAR(13) UNIQUE NOT NULL,
    username VARCHAR(50) UNIQUE NOT NULL,
    password_hash VARCHAR(255) NOT NULL,
    full_name_th VARCHAR(200) NOT NULL,
    full_name_en VARCHAR(200) NOT NULL,
    email VARCHAR(100) UNIQUE NOT NULL,
    phone VARCHAR(20),
    department_id UUID REFERENCES departments(id),
    position_id UUID REFERENCES positions(id),
    status VARCHAR(20) DEFAULT 'active',
    last_login_at TIMESTAMP,
    password_expires_at TIMESTAMP,
    created_at TIMESTAMP DEFAULT NOW(),
    updated_at TIMESTAMP DEFAULT NOW()
);

-- Role-based access control
CREATE TABLE roles (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    name VARCHAR(100) NOT NULL,
    description TEXT,
    is_system_role BOOLEAN DEFAULT false,
    created_at TIMESTAMP DEFAULT NOW()
);

CREATE TABLE permissions (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    module VARCHAR(50) NOT NULL,
    action VARCHAR(50) NOT NULL,
    description TEXT,
    UNIQUE(module, action)
);

CREATE TABLE role_permissions (
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
    permission_id UUID REFERENCES permissions(id) ON DELETE CASCADE,
    PRIMARY KEY (role_id, permission_id)
);

CREATE TABLE user_roles (
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
    assigned_at TIMESTAMP DEFAULT NOW(),
    expires_at TIMESTAMP,
    assigned_by UUID REFERENCES users(id),
    PRIMARY KEY (user_id, role_id)
);

-- Authentication methods
CREATE TABLE user_authentication_methods (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
    method_type VARCHAR(20) NOT NULL, -- 'password', 'rfid', 'fingerprint', 'smartcard'
    method_data JSONB NOT NULL,
    is_primary BOOLEAN DEFAULT false,
    is_active BOOLEAN DEFAULT true,
    created_at TIMESTAMP DEFAULT NOW()
);

-- Digital signatures
CREATE TABLE digital_signatures (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
    signature_type VARCHAR(20) NOT NULL, -- 'pki', 'biometric', 'drawn'
    signature_data BYTEA NOT NULL,
    certificate_data BYTEA,
    is_active BOOLEAN DEFAULT true,
    created_at TIMESTAMP DEFAULT NOW()
);

-- Audit trail
CREATE TABLE audit_logs (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    user_id UUID REFERENCES users(id),
    session_id VARCHAR(255),
    action VARCHAR(100) NOT NULL,
    resource_type VARCHAR(50),
    resource_id VARCHAR(100),
    ip_address INET,
    user_agent TEXT,
    request_data JSONB,
    response_status INTEGER,
    created_at TIMESTAMP DEFAULT NOW()
);

-- System configuration
CREATE TABLE system_configurations (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    category VARCHAR(50) NOT NULL,
    key VARCHAR(100) NOT NULL,
    value TEXT,
    data_type VARCHAR(20) NOT NULL, -- 'string', 'number', 'boolean', 'json'
    description TEXT,
    is_sensitive BOOLEAN DEFAULT false,
    updated_by UUID REFERENCES users(id),
    updated_at TIMESTAMP DEFAULT NOW(),
    UNIQUE(category, key)
);

-- Device and network access control
CREATE TABLE registered_devices (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    device_name VARCHAR(100) NOT NULL,
    mac_address VARCHAR(17) UNIQUE NOT NULL,
    ip_address INET,
    device_type VARCHAR(50),
    location VARCHAR(100),
    is_approved BOOLEAN DEFAULT false,
    approved_by UUID REFERENCES users(id),
    approved_at TIMESTAMP,
    last_seen_at TIMESTAMP,
    created_at TIMESTAMP DEFAULT NOW()
);

6.3.2 Database Requirements

REQ-DB-004: PostgreSQL 15+ with Prisma native support
REQ-DB-005: JSONB support via Prisma Json type
REQ-DB-006: Full-text search with tsvector columns
REQ-DB-007: Database encryption at rest with transparent data encryption

6.3.3 Performance Optimization

REQ-DB-008: Appropriate indexing strategy
REQ-DB-009: Query optimization and monitoring
REQ-DB-010: Database connection pooling
REQ-DB-011: Partitioning for large audit tables

7. Compliance and Standards

7.1 Healthcare Standards Compliance

7.1.1 ISO/IEC 27001 (Information Security Management)

REQ-COMP-001: Information Security Management System (ISMS) implementation
REQ-COMP-002: Risk assessment and treatment procedures
REQ-COMP-003: Security incident management processes
REQ-COMP-004: Business continuity planning

7.1.2 ISO/IEC 27799 (Health Informatics Security)

REQ-COMP-005: Healthcare-specific security controls
REQ-COMP-006: Clinical data protection measures
REQ-COMP-007: Medical device security integration
REQ-COMP-008: Patient data confidentiality controls

7.2 Thai Legal Compliance

7.2.1 PDPA (Personal Data Protection Act)

REQ-COMP-009: Consent management for data processing
REQ-COMP-010: Data subject rights implementation (access, correction, deletion)
REQ-COMP-011: Data breach notification procedures
REQ-COMP-012: Cross-border data transfer controls

7.2.2 e-Signature Act Compliance

REQ-COMP-013: Legal validity of electronic signatures
REQ-COMP-014: Certificate authority integration
REQ-COMP-015: Non-repudiation mechanisms
REQ-COMP-016: Long-term signature preservation

7.3 Healthcare Regulatory Compliance

7.3.1 Medical Record Regulations

REQ-COMP-017: Medical record retention periods (15 years minimum)
REQ-COMP-018: Healthcare professional licensing verification
REQ-COMP-019: Medical practice act compliance
REQ-COMP-020: Patient rights and consent documentation

7.3.2 Audit and Quality Assurance

REQ-COMP-021: Comprehensive audit trail maintenance
REQ-COMP-022: Quality assurance reporting capabilities
REQ-COMP-023: Regulatory inspection support
REQ-COMP-024: Document retention and archival policies

8. Appendices

Appendix A: Glossary

Term	Definition
CPOE	Computerized Provider Order Entry - Electronic system for medical orders
eMAR	Electronic Medication Administration Record - Digital medication tracking
EMR	Electronic Medical Record - Digital patient medical records
HIS	Hospital Information System - Integrated hospital management system
PDPA	Personal Data Protection Act - Thai data privacy law
PKI	Public Key Infrastructure - Cryptographic framework for digital certificates
RBAC	Role-Based Access Control - Permission management system
SSO	Single Sign-On - Unified authentication across systems

Appendix B: User Role Matrix

Role	EMR	CPOE	eMAR	Lab	Pharmacy	Admin	Queue
System Admin	Full	Full	Full	Full	Full	Full	Full
Doctor	Edit	Edit	View	View	View	None	View
Nurse	Edit	View	Edit	View	None	None	Edit
Pharmacist	View	View	Edit	View	Edit	None	View
Lab Tech	View	View	None	Edit	None	None	View
Registration	View	None	None	None	None	None	Edit

Appendix C: Integration Points

graph TB
    Admin[System Administration] --> |User Auth| EMR[EMR System]
    Admin --> |Permissions| CPOE[CPOE System]
    Admin --> |Audit Logs| eMAR[eMAR System]
    Admin --> |Device Control| Kiosk[Kiosk Systems]
    Admin --> |API Keys| External[External APIs]

    Admin --> |LDAP| HR[HR System]
    Admin --> |PKI| CA[Certificate Authority]
    Admin --> |Alerts| Email[Email System]
    Admin --> |SMS| Gateway[SMS Gateway]

Appendix D: Security Architecture

graph TD
    User[Healthcare User] --> |Authentication| MFA[Multi-Factor Auth]
    MFA --> |RFID| RFID_Reader[RFID Reader]
    MFA --> |Biometric| Fingerprint[Fingerprint Scanner]
    MFA --> |Smart Card| Thai_ID[Thai ID Reader]

    MFA --> |Validated| RBAC[Role-Based Access]
    RBAC --> |Permissions| Apps[HIS Applications]

    Apps --> |Audit Trail| Logs[Audit Logs]
    Apps --> |Data Access| DB[(Encrypted Database)]

    Logs --> |Compliance| Reports[Compliance Reports]

Appendix E: Technology Stack Details

Backend (Nest.js)

Node.js 18+
@nestjs/core 10+
@nestjs/common
@nestjs/platform-express
TypeScript 5+
Prisma 5+ (@prisma/client, @nestjs/prisma)
PostgreSQL 15+ (pg driver)
@nestjs/passport (Authentication)
@nestjs/jwt (JWT handling)
class-validator, class-transformer (DTOs)
bcrypt or argon2 (Password hashing)
@nestjs/throttler (Rate limiting)
@nestjs/swagger (API documentation)

Frontend (Next.js)

Next.js 14
React 18
TypeScript 5+
Ant Design
Tailwind CSS
Zustand (State Management)
React Query
Axios (HTTP Client)

Infrastructure

PostgreSQL 15+ (Primary database)
Redis 7+ (Caching, sessions, rate limiting)
Docker & Docker Compose (Containerization)
Nginx (Reverse proxy, load balancing)
SSL/TLS 1.3 certificates
PM2 or Docker Swarm (Process management)
Prometheus + Grafana (Monitoring)

Document End

This SRS document serves as the comprehensive specification for implementing the ระบบผู้ดูแลระบบ (System Administration Module) within the MediTech Hospital Information System. All development activities should align with the requirements and standards outlined in this document.