This invention relates to a method and apparatus for handling audio-visual programs during post-production with increased security to reduce piracy. BACKGROUND ART

During the creation of motion picture or television programs, hereinafter collectively referred to as "audio-visual programs," the captured images undergo subsequent processing along with captured audio. The term "post-production" serves as general descriptor for the various processing operations applied to the captured images and captured audio. Typically, facilities where post-production occur receive high-value audio-visual programs or portions thereof (sometimes referred to as "content") from many different sources, for example, movie studios, production companies, and other post-production facilities. The received audio-visual programs or portions thereof undergo storage on a variety of devices (for example, servers, players, Tenderers and storage mechanisms), each accessible from a variety of locations (e.g., edit bays, review rooms, quality check suites, etc.). Because of the flexibility required in typical post-production facilities, the stored audio-visual programs or portions thereof can undergo routing to and playout at many areas within such facilities. In well-run post- production facilities, such playouts necessarily occur with great frequency and generally do not arouse suspicion. Nonetheless, the playout of audio-visual programs or portions thereof at various areas in a post-production facility creates a risk of piracy.

Most post-production facilities impose a variety of security procedures including restricting physical access to only those operators who need to interact directly with particular system(s). Within most post-production facilities, the security department will grant operators selective access via a security badge or other well-known personal identification device. However, while such mechanisms can limit access to a particular operator for a designated time interval (the operator's regular shift), a need exists to limit access based on pending and current tasks as well as current and pending operator assignments. To increase security, many post-production facilities will dedicate certain areas to specific workflows. For some activities, dedicating certain areas to certain activities can limit the access of operators to the images and/or audio associated with certain audio-visual programs. However, dedicating certain areas to certain activities limits the flexibility to reallocate different devices to different workflows, as might be needed to quickly provision extra quality check stations, or re-allocate review or production suites, for example, depending on sudden changes in demand or urgency. Thus, a need exists to limit access to areas within the post-production facilities depending on actual workflow needs, both planned and immediate, but allow for reallocation quickly and with a minimum effort on the part of the post-production facility manager while maintaining high security.

Many computer and security systems maintain access logs by tracking computer login attempts and badge swipes by various personnel to increase security. In digital cinema exhibition facilities, each digital cinema media block maintains a log of which audio-visual programs (digital cinema composition) undergo playout and when such playout occurs.

However, such digital cinema security techniques have very little if any applicability in post- production facilities. Security techniques employed in digital cinema facilities operate on encrypted audio-visual programs, whereas most audio-visual programs in a post-production facility exist in unencrypted form. Further, within a typical digital cinema exhibition facility, the audio-visual program(s) become locked to particular projector(s) and/or media blocks making such security techniques ill-suited for use in post-production facilities that need the flexibility to route audio-visual programs or portions thereof to a variety of devices in different areas within the facility. Thus, a need exists for access logging in a post-production facility that not only logs playout of an audio-visual program, but the device(s) that played out the audio-visual program in order to determine the routing path.

Classically, user authentication measures falls into one of three categories:

(1) authentication based on what you have (e.g., a key, an RFID or token), (2) authentication based on what you know (e.g., a PIN or password), or (3) authentication based on who you are (e.g., a biometric identifier such as a fingerprint or iris scan). A process that makes use of two of more of these authentication measures often bears the designation "multi-factor authentication" and offers increased security as compared to an authentication process that uses a single such measure. However, an operator intent on making illicit copies in a post- production facility could properly satisfy all of these authentication measures because the operator has the appropriate key or token, knows the PIN or password, and the operator has a recognized biometric identifier. Thus, current user authentication measures alone remain inadequate. Therefore, a need exits for additional security measures beyond operator authentication. BRIEF SUMMARY OF THE INVENTION

Briefly, in accordance with an illustrative embodiment of the present principles, a method for handling at least one audio-visual program or portion thereof in a post-production facility with increased security commences by first assigning to the at least one audio-visual program or portion thereof a security level associated with a least one post-production operation. Thereafter, at least one of an operator and a production device within the post- production facility are each assigned a security level for the at least one post-production operation. At least one of the least one of an operator and production device are allocated to perform the at least one post-production operation based on the security level assigned to the operator and post-production device and the security level associated with the at least one audio-visual program or potion thereof.

Assigning security levels to the audio-visual programs or portions thereof and to operators and -production devices in the post-production facility and allocating assignments of operators and production devices based on their security levels and that of the audio-visual programs or portions thereof provides better control against the threat of content piracy within the post-production facility. The method of the present principles improves security by restricting when, where, and who can access audio-visual programs or portions thereof.

Collusion among operators becomes more difficult by automating certain scheduling.

Proactive monitoring of logs of past and upcoming audio-visual program content access will yield evidence of activity and can act as forensic proof in the event of the actual detection of illicit copying.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 depicts an exemplary floor plan of a securely managed post-production facility for handling audio-visual programs with increased security in accordance with the present principles; FIG. 2 depicts a block diagram of a system in accordance of with an illustrative embodiment of the present principles for managing the post-production facility of FIG. 1 in accordance with the present principles;

FIG. 3 depicts in flowchart form the steps of a process executed by the system of FIG. 2 for queuing post-production tasks in the post-production facility of FIG. 1;

FIG. 4 depicts in flowchart form the steps of a process executed by the system of FIG. 2 for performing post-production tasks in the post-production facility of FIG. 1 and

FIG. 5 depicts an exemplary database employed by the system of FIG. 2 for handling audio-visual programs with increased security in the post-production facility of FIG. 1 in accordance with the present principles.

DETAILED DESCRIPTION

FIG. 1 depicts a floor plan of an exemplary embodiment of a secure post-production facility 100 suitable for practicing the technique of the present principles for handling at least one audio-program or portion thereof with increased security. In the illustrative embodiment depicted in FIG. 1, the post-production facility 100 has a configuration selected especially for digital cinema post-production. However, those skilled in the art will recognize that the technique of the present principles for handling at least one audio-program or portion thereof with increased security can readily apply to television production as well, when used in conjunction with a post-production facility appropriately configured for such content. The post-production facility 100 of FIG. 1 comprises four suites or rooms: (a) an administrator's suite 1 10, a review suite 120, a sub-titling suite 130, and a review theater 140. In addition to these four rooms, the post-production facility 100 includes an equipment room 150 for storing equipment utilized in connection with post-production operations performed in the various rooms in the facility. A door 11 1, locked by electronic lock 1 12, controls access to the administrator's suite 1 10. Within the administrator's suite 1 10, an administrator 160 sits at an administration station 1 13, which has at least one single-screen administrator terminal 114. The terminal 114 typically includes one or more user interface components such as a keyboard, mouse, trackball, touchscreen, and the like.

A door 121, locked by electronic lock 122, controls access to the review suite 120. Inside the review suite 120, an operator 170 sits at a review station 123, which comprises at least one multi-screen terminal 124. The review suite can also include a large media display device 125 for displaying an audio-visual program or portion thereof, typically a digital cinema composition given the configuration of the post-production facility for use in connection with digital cinema post-production. A door 131, locked by electronic lock 132, controls access to the subtitling suite 130. Inside the suite 130, an operator (not shown) sits before a subtitling station 133 that includes at least one multi-screen operator terminal 134 and large media display device 135.

A door 141, locked by electronic lock 142, controls access to the review theater 140, which includes a control station 143 having a multi-screen operator terminal 144. The review theater 140 also includes a digital cinema projector 146, typically housed in a projection booth 147, for displaying one or more audio-visual programs (digital cinema compositions) or portions thereof, on a projection screen 145. Within the review theater 140, clients can sit in comfortable furniture 148 to watch the audio-visual programs while an operator controls play out of such programs from the station 143.

The rooms in a post-production facility, such as the suites 1 10, 120, and 130 and the review theater 140 in the post-production facility 100 of FIG. 1, not only have the capability of handling (e.g., processing and/or displaying) the images of an audio-visual program (digital cinema composition), such suites can also handle (e.g., process and/or reproduce) the associated audio as well. Some post-processing facilities some can have rooms (none shown) restricted to activities that require only audio (e.g., mixing orchestrations) or only require images (e.g., color timing), but not both. In cases of suites restricted to images or audio, no need exists for any capability to handle the other.

Like the suites 110, 120, and 130, and the review theater 140, access to the machine room 150 occurs through a door 161 controlled by an electronic lock 162. The equipment room 150 houses various pieces of equipment found in many post-production facilities. For example, the machine room 150 can house a Network Area Storage (NAS) system 151 that implements a secure media storage mechanism 230 depicted in FIG. 2. Further, in the equipment room 150, a Virtual Private Network (VPN) gateway 152 enables the exchange of audio-visual programs or portions thereof with movie studios, production companies or with other post-production facilities, for example, through a communications network, such as the Virtual Private Network 21 1 depicted in FIG. 2. The machine room 150 of FIG. 1 can also house one or more media processors, such as the media processors 153 and 154, each of which can take the form of the Clipster™ media processor manufactured by Rohde &

Schwarz DVS GmbH, of Hannover, Germany. As depicted in FIG. 2, one or both of the media processors 153 and 154 can have associated content caches, such as the content cache 233 associated with the media server 154. Further, the equipment room 150 of FIG. 1 can include other media processing or playback servers including, but not limited to digital cinema servers or media blocks associated with digital cinema composition playout, such as the DCP-2000 digital cinema server manufactured by Doremi Labs of Burbank, CA, illustratively depicted as the digital cinema server 243 in FIG. 2. Further, the machine room 150 of FIG. 1 can house a digital cinema packaging server 155 that operates conjunction with a key generator 156 to encrypt digital cinema compositions for distribution and to maintain decryption keys for decrypting such compositions.

A keyboard/video/mouse (KVM) switch 157 within the machine room 150 of FIG. 1 selectably connects each of the terminals 124, 134, and 144 to one or more of the media processors 153 and 154, the packaging server 155 and the key generator 156. An audio/video (A/V) router 158 routes the program outputs of the media processors 153 and 154 and the digital cinema server 243 of FIG. 2 to any or all of the media display devices 125 and 135 and the digital cinema projector 146, all of FIG. 1.

To implement the technique of the present principles for handling at least one audio- program or portion thereof with increased security, the machine room 150 also houses an operations scheduling server 159 and an A/V router control 160. The operations scheduling server 159 executes the secure post-production workflow processes 300 and 400 described in detail with respect to FIGS. 3 and 4, respectively. The A/V router control 160 manages the A/V router 158 under the control of the operations scheduling server 159. In some embodiments, the operations scheduling server 159 can also exert control over the KVM switch 157 and the AS 151.

As discussed above, each of suites 1 10, 120, and 130, the review theater 140 and the machine room 150 has restricted access controlled through a corresponding one of the electronic locks 112, 122, 132, 142, and 162, respectively. An access control system 163, typically housed within machine room 150 but locatable elsewhere, controls the electronic locks 1 12, 122, 132, 142, and 162. To gain access to any of the suites 110, 120, 130, and 140 or the machine room 150, an operator will first authenticate himself or herself to the access control system 163 using one or more authentication methods as described previously. After authenticating the operator, the access control system 163 will release the corresponding electronic lock and allow access. To provide for increased security, the access control system 163 could query the operations scheduling server 159 to check the work schedule of an operator seeking access one of the suites 1 10, 120, or 130, the review theater 140 or the machine room 150 and deny access if that operator is not scheduled to work at that time.

FIG. 2 depicts a block diagram of a system 200 for handling audio-visual programs (or portions thereof (e.g., digital cinema compositions) in the post-production facility 100 of FIG. 1 with increased security in accordance with the present principles. The system 200 of FIG. 2 includes the operations scheduling server 159 discussed with respect to FIG. 1 for executing the secure post-production workflow processes 300 and 400 of FIGS. 3 and 4, respectively, under the direction of an administrator communicating through the terminal 114 of FIG. 1. To the extent that an operator's permissions or job schedule depends on the time of day, the operations scheduling server 159 of FIG. 2 has access to a real-time clock 262, preferably a secure clock. As described in detail with respect to the workflow tasking queuing process 300 of FIG. 3, in order to execute that process, the operations scheduling server 159 will obtain a utilization template from a database 240 for the range of tasks specified in a work and then writes jobs for performing such tasks to a job queue 250. For purposes of clarity, the term "task" refers to one or more operations required on an audio-visual program or portion thereof. The term "job" refers to one or more activities performed by one or both of an operator and device(s) to complete a task.

The system 200 of FIG. 1 further includes a database (not shown in FIG. 2 but depicted as database 320 in FIG. 3) for storing work orders entered manually by an administrator through the terminal 1 14. In addition to or in place of accessing manually entered work orders from the database 320 of FIG. 3, the operations server 159 of FIG. 1 can communicate through a secure network 210 with the gateway 152 to receive work orders sent from customers via the virtual private network (VPN) 211.

To complete a work order, the system 200 will need to acquire the associated audio- visual program or portion thereof (e.g., digital cinema composition) if that program does not already exist in the system. Typically, the administrator (or designee) will accept a new audio-visual program or portion thereof, depicted by reference number 212 in FIG. 2, in connection with a work order. An ingest system 213 will first receive the accepted new audio-visual program 212 for subsequent transfer via the network 210 to the storage mechanism 230 comprising part of the NAS 151 of FIG. 1. In some embodiments, the system 200 of FIG. 2 will store the new audio-visual program 212 on several storage mechanisms (including storage mechanism 230) for redundancy. For example, a customer might require that their audio-visual programs not reside on storage devices exposed to operators working on other customers' programs in order to increase security. Further, in place of the network 210 (depicted in the form of a bus) other implementations could provide explicit virtual connections. For example, an allowed routings table (not shown) could connect the ingest system 213 to the secure media storage mechanism 230. Further, the NAS 151 FIG. 1 could accept connections only from specific devices.

After receipt of the new audio-visual program, 212, the operations scheduling server 159 can command the ingest system 213 to name and store the new audio-visual program in order for correct association with a particular work order or job. Alternatively, the accepted audio-visual program 212 could arrive via the virtual private network (VPN) 211 and the VPN gateway 152 for subsequent storage in the storage mechanism 230 as discussed previously.

The KVM switch 157 has the ability to connect any of the operator terminals 124, 134, and 144 via a set of connections 260 to any of the operations server 159, the ingest system 213, the media processors 153 and 154, the packaging system 155, the key generator 156, and the digital cinema server 243. As discussed previously, the digital cinema server 243 drives the digital cinema projector 146 of FIG. 1 with a packaged audio-visual program, which, as depicted in FIG. 2, resides at a secure content cache 244 when the digital cinema projector 146 has no other content source. In FIG. 2, the KVM switch 157 connects via a KVM bus 265 to the operations server 159, the ingest system 213, the media processors 153 and 154, the packaging system 155, the key generator 156, and the digital cinema server 243. Preferably, the KVM bus 265 could take the form of an IP bus made secure by using encrypted links. In other embodiments, each device could have a direct connection to the KVM switch 157. Exemplary KVM switches include the Avocent HMX Extender System manufactured by Emerson Electric Company of St. Louis, MO, and the VSM CommServer and related equipment manufactured by L-S-B Broadcast Technologies GmbH, of Wiesbaden, Germany. In some embodiments, the administrator terminal 114 could route through the KVM switch 157 rather than enjoy a direct connection to one or more devices.

In prior art post-production facilities using KVM switches, an operator at a terminal (e.g., the terminal 124) had the ability to select and thereafter control any of the devices, connected to the switch, including one or more devices already in use by another operator at a different terminal. Alternatively, an operator could select from among a fixed subset of the devices connected to the switch. However, in accordance with the present principles, within the system 200 of FIG. 2, the operations scheduling server 159 has control over the KVM switch 157 and determines which terminals can permissibly connect to which devices (if any). -ci- ln order for an operator at a terminal (e.g., the terminal 124) to connect a particular device, e.g., the media processor 154, the operations scheduling server 159 will need to configure KVM switch 157 via the connection 260. For example, the scheduling server 159 can dynamically adjust the devices accessible to a particular operator for any or all terminals. After an operator logs into the system 200, the operations scheduling server 159 will verify the operator's credentials, including his/her security level, and then determine the eligible device(s) to which the operator can gain access in accordance with his or her currently assigned job.

As discussed previously with connection with FIG. 1, the access control system 163 controls access to the doors 11 1, 121, 131, 141, and 161 of the post-production facility 100 of FIG. 1 by unlocking a corresponding one of the electronic locks 1 12, 122, 132, 142, and 162, respectively, after the access control system has authenticated operator or administrator seeking access. The access control system can notify the operations scheduling server 159 of the authentication of an operator or administrator or access to one of the suites 1 10, 120, and 130, the review theater 140 and/or the machine room 150. In response, the operations scheduling server 159 can activate and/or configure the KVM switch 157 for the

corresponding terminal to offer the now-authenticated operator or administrator access to the device(s) authorized for that individual.

Once an operator has gained access to the room 120, the operator will log into the system 200 via the terminal 124 of FIG. 1. In response, the operations scheduling server 159 will select a job from a job queue database 250 based on the operator's security level as well as the security level associated with the job. Thereafter, the operations scheduling server 159 will select a resource utilization template for that job from a resource utilization template database 260. In accordance with the resource utilization template, and taking into account the operator's security level, the operations scheduling server 159 will direct the KVM switch 157 to make (or allow) appropriate connection between the terminal 124 and one of the media processors (e.g., media processor 153) now seized for use. Further, the operations scheduling server 159, operating through the AW router control 160, both of FIG. 2, will now direct the A/V router 158 to connect the output from the media processor 153 to the media display 125 (both of FIG. 1).

The operations scheduling server 159 will also set permissions corresponding to this job for the media processor 153 to access the audio-visual program(s) or portions thereof from the secure program storage mechanism 230. Without the authorization by the operations scheduling server 159 , the operator 170 will have no access to media processor 153 and no access to any of the audio/visual programs related to this job. Note that if operator 170 had entered the suite 130 and logged into the terminal 134 (rather than enter suit 120 and logged into terminal 124), the operator will be assigned the same job and will have access to the appropriate resources. To that end, the system 200 will seize the terminal 134 and the display 135 of FIG. 1 and connect them with the media processor 153 and the appropriate audio/visual program. Another operator entering a different room would not have access to the same equipment or audio-visual programs.

The technique of the present principles for handling audio-visual programs in a post- production facility with increased security depends on at least two roles carried out by different individuals in the course of secure post-production activities. The "administrator" (manager) has the role of accepting and scheduling work, whereas the "operator" who possesses technical and/or artistic skills, has the role of executing the a job (i.e., performing the task(s) corresponding to that job) by making use of one or more of the devices within the system 200 of FIG. 2.

FIG. 3 depicts in flow chart form the steps of a secure post-production workflow administration process 300 executed by the system 200 of FIG. 2 under the supervision of the administrator who accepts and schedules work. The administration process 300 starts upon execution of step 301 during which the operations scheduling server 159 of FIGS. 1 and 2 acquires information about available operators, their skills and security levels and other characteristics, as well as information about post-production resources (e.g., devices and facilities).

Following step 301, the administrator will authenticate himself or herself to the system during step 302 by traditional means, for example using a two- or three-factor authentication process as described above. Thereafter, the operations scheduling server 159 executes step

103 to acquire a work order. For example, the operations scheduling server 159 could acquire a work order previously entered into the work order database 320 depicted in FIG. 3. Rather than acquire the work order from the work order database 320, the operations scheduling server 159 could accept a work order from an external source, such as a movie studio, via the VPN 21 1 and the gateway 152, both of FIG. 2. Alternatively, the administrator could manually enter a work order.

A typical work order accepted during step 302 or manually entered by the

administrator will require one or more tasks, each entered as corresponding job. Each task corresponds to one of the post-production operations the post-production facility 100 of FIG. 1 has the capability to perform. Each task has a corresponding a task template which describes the task, the skills required by an operator to perform that task, the type of audiovisual program or portion thereof needed in connection with the task, and the kind of audio- visual program or portion that results after task execution. The task template also identifies what kinds of resources (such as devices and locations, etc.) within the post-production 100 of FIG. 1 needed to perform the task. As part of the acceptance of the work order, the operations scheduling sever 159 of FIGS. 1 and 2 will map the work order to one or more tasks, which are queued as jobs. The corresponding audio-visual program or portion thereof with the work order must represent an acceptable kind of program for the task, and if so, the program becomes associated with the job(s). The operations scheduling server 159 can automatically breakout the jobs from the work order, especially if the work order specifies the necessary tasks. Alternatively, the could manually associate tasks with jobs.

In the exemplary embodiment of process 300 depicted in FIG. 3, the step of accepting a login from an administrator (step 302) precedes acceptance of a work order during step 303. Under circumstances in which the administrator manually enters the work order, or when manual acceptance of an externally received work order by an administrator must occur, the administrator must login first in order to compete these duties. However, in some instances, automatic acceptance of an externally received work order will prove useful. Thus, if desired, the operations scheduling server 159 of system 200 could automatically accept a work order without the need for an administrator to login first. In other words, step 303 could occur prior to, or even in the absence of, step 302, although having an administrator manually confirm acceptance of a work accepted automatically by the operations scheduling server 159 can prove beneficial.

Follows step 303 during which work order acceptance occurs, step 304 undergoes execution during which acceptance of an audio-visual program or portion thereof associated with the work order occurs followed by program storage in the secure storage mechanism 230. Acceptance of the audio-visual program or portion thereof could occur automatically, followed by administrator confirmation of such acceptance. Alternatively, the manual acceptance by an administrator may prove preferable.

Acceptance of the audio-visual program or portion thereof during step 303 might include ingesting an audio-visual program or portion thereof accompanying the accepted work order or accepting an audio-visual program or portion thereof that arrived separately. In some embodiments, the audio-visual program or portion thereof associated with the work order might arrive in encrypted form. Under such circumstances, the work order will have decryption key(s) necessary to decrypt the audio-visual program or portion thereof. The audio-visual program or portion thereof may comprise any combination of audio, images text (e.g., subtitles, captions), metadata, and/or auxiliary tracks (e.g., tracks that carry data for motion seats). Step 104 remains optional and for this reason, this step appears in dashed lines in FIG. 3. In some instances, the audio-visual program or portion thereof associated with the accepted work order will already reside in the secure program storage mechanism 230 or elsewhere within the system 200. For example, the needed the audio-visual program or portion thereof could exist as a result of a previous work order. Further, in some

embodiments, accepting the audio-visual program or portion and ingesting the program into the secure storage mechanism 230 could constitute a preliminary task assigned to an operator to perform prior to performing other tasks.

During step 305 of FIG. 3, the operations scheduling server 159 of FIGS. 1 and 2 will associate the work order with one or more resource utilization templates stored in the resource utilization template database 260 to identify resources needed for the work order, such as (1) the necessary devices (e.g., media player, display type, media encoder, packaging appliance, etc.), (2) the necessary locations in the post-production facility(s) (e.g., workstation, private projection room, or projection room with seating for clients), and/or (3) the necessary software. Each of the needed resources identified by the resource utilization templates associated with the work order should correspond to least one piece of equipment, location, or piece of software available within or accessible to the secure post-production facility 100 of FIG. 1. The operations scheduling server 159 of FIGS. 1 and 2 will associate the resource utilization templates with the work order as well as the individual jobs within the work order, the records for such jobs being stored in the jobs constraint database 240.

In some embodiments, the operations scheduling server 159 will automatically associate the work order with the correct resource utilization templates based on the kind(s) of supplied audio-visual programs or portions thereof, and specific requirements specified within the work order. For example, a box checked or a category otherwise selected with regard to the submitted work order, especially in conjunction with the supplied audio-visual program(s) or portion(s) thereof, may correspond unambiguously to a specific template (or to a specific group of templates). In other embodiments, an administrator can manually associate a one or more templates to a work order. During step 306, the operations scheduling server 159 will automatically enter a set of operator pool constraints for the work order. Alternatively, the administrator could manually enter the operator pool constraints during step 306. Some tasks require certain skills, not all of which every operator will possess. Thus, there might only exist a limited pool of operator the capability of performing a given task. Typically, the template(s) identified during step 305 will specify the necessary operator skill(s).

Further constraints could exist that restrict which operators can perform a given task. Some work orders (or the entities issuing such work orders) may limit which operators can permissibly access to certain audio-visual programs or portions thereof. For example, a work order or the entity issuing that order could restrict the available pool of operators to those that having particular security clearances, or studio-specific training, or those regularly work on jobs from this client. Alternatively, or in addition, the work order or the entity issuing that work order could specify one or more specific operators (i.e., the work order calls out a particular individual as a "key man" or imposes a "talent" restriction). The job record(s) associated with that work order stored in the secure job record database 240 will indicate such constraints.

During step 307, acceptance of the scheduling information derived from the work order and templates occurs, either manually by an administrator or automatically via the operations scheduling server 159. The accepted scheduling information gets added to the corresponding secure job records stored in the secure jobs record database 240. In practice, the accepted work order will have deadline or at least a promised delivery date. Taking into account the deadline or promised delivery date and the expected duration of the job(s) associated with the work order, the operations scheduling server 159 of FIGS. 1 and 2 will generate a schedule indicating the need to complete or start a particular job by a required time. The schedule could indicate a preferred earlier start or completion time, for example if the duration of the job lacks predictability or the job sometimes fails and requires rework. During step 308, release of the work order occurs, either manually or automatically, followed by storage of the corresponding job(s) and associated constraints in the job queue database 250. The secure post-production workflow administration process 300 concludes upon execution of step 309.

Once the secure post-production workflow administration process 300 of FIG. 3 concludes, the system 200 of FIG. 2 then executes the secure post-production workflow operations process 400 shown in FIG. 4. The process 400 begins at step 401 during which the system 200 undertakes the necessary steps to initialize itself for workflow administration, including readying itself for operator login. Following step 401, step 402 undergoes execution during which the system 200 accepts an operator login and thereafter authenticates the operator. Typically, authentication occurs as described above.

Steps 403-405, described below, constitute a loop through which the system 200 iterates to find available job(s) in the job queue database 250 whose constraints the system can satisfy including any associated operator pool constraints satisfied by operator(s) already authenticated by the system. During step 403, the operations scheduling server 159 of FIGS. 1 and 2 retrieves a job from the queue database 250. During step 404, the operations scheduling server 159 retrieves a corresponding record for the retrieved job from the secure job constraints database 240. During step 405, the operations scheduling server 159 examines the retrieved job and determines whether the operators' skills and available resources satisfy the job's constraints. If so, then step 406 undergoes execution, whereupon the operations scheduling server 159 commits to the retrieved job. Otherwise, if the operators' skills and available resources do not satisfy the constraints of the retrieved job, the operations scheduling server 159 will reject the retrieved job and re-execute step 403 retrieve a different job from the job queue database 250. During subsequent iterations of steps 403-405, if conditions change, e.g., a device, facility location, or dedicated workstation or seat-limited software license becomes available, or an operator acquires a new skill or security level, then the operations scheduling server 159 can re-evaluate a previously rejected job.

After the operations scheduling server 159 commits to a retrieved job, then step 408 undergoes execution, whereupon the operations scheduling server now "seizes" (i.e., reserves) the resources necessary for processing the job. Note that execution of step 408 does not strictly require making the resources available now, though that could be the case. Rather, the seizing of resources during step 408 could correspond to a future scheduled activity occurring later during an operator's shift. During step 409, the system 200 allows the operator access to the seized resources and to the securely stored media 130 corresponding to the job, and the operator performs the designated task. Upon performing the assigned task, the operator will indicate completion. Depending on the task, the operations scheduling sever 159 could automatically detect task completion. Following task completion, the audio-visual program or portion thereof undergoes storage in the secure storage mechanism 230.

During step 410, the operations scheduling server 159 releases the previously seized resources and revokes the previous access given to the operator(s) for such seized resources. Thus, the operator(s) no longer have access to the previously seized resources in connection with the audio-visual program or portion thereof associated with the completed task. Only during steps 408 and 409 will an operator have access to the audio-visual program and only to that portion of the program associated with the assigned job and only on the devices and in the locations allocated to that job.

During step 411 the secure post-production workflow operations process 400 concludes. Typically, the process will repeat as long as operator(s) and resources remain available and one or more jobs remain unperformed. If the operations scheduling server 159 allocated more than one seized resources for the allocated jobs, then the next iteration of the process 400 of FIG. 4 could begin at step 409.

In some embodiments, the operations scheduling sever 159 of FIGS. 1 and 2 could select subsequent jobs during step 403 of FIG. 4 by giving preference to those jobs that require like resources, i.e., those jobs with requirements satisfied by the same devices and/or facility location. In this way, the operations scheduling server 159 can assign consecutive jobs to an operator to minimize the necessity for the operator to move to a new location or to use different equipment, thereby gaining efficiency by reducing the expected workspace setup time.

FIG. 5 depicts an exemplary database 500 for storing information related to the workflow processes 300 and 400, of FIGS. 3 and 4, respectively.. The database 500 has different portions, including:

(1) A template portion 510 (including resources table 514) corresponding to resource utilization templates 160,

(2) A work order portion 520 (including content records 522) corresponding to work orders 120,

(3) Personnel tables 530 and 531; and

(4) A job records portion 540 corresponding to secure job constraints records 140 and job queue 150.

Within the task template portion 510, a templates table 51 1 contains a record for each kind of task of which the facility 100 of FIG 1 can perform, (In some embodiments, the templates table 51 1 could include tasks "performed" by outsourcing the work to another facility.) Each template record in table 51 1 has a relationship 564 with zero or more pieces of audiovisual programs noted in template content table 514. Further, each record will indicates the kind of source audio-visual program or the type of program produced as an output.

Preferably, each template content record identifies a naming convention so automatic determination and/or modification of filenames can occur without requiring operator intervention.

Each template record in table 51 1 has a relationship 513 through a linking table 516 with (1) zero or more kinds of resource (i.e., kinds of devices, such as media processors, key generator, etc.). Further, each template record has a relationship 566, through the linking table 516 with the kinds of locations in the post-production facility 100 of FIG. 1, such as a room with 5.1 audio presentation or a room with a digital cinema display or a room with client seating. Those skilled in the art will recognize that the linking table 516 implements a many- to-many relationship between template records in the templates table 511 and resource in table 516.

Each of the resources in facility 100 has a corresponding record in the resources table

515, and has a relationship 565 with the appropriate resource kind. Under circumstances where the tasks represented by records in templates table 511 have associated kinds in the table 516 but no associated resource records in the table 515, then the post-production facility 100 would not have the ability to perform the task. (However, the facility 100 could perform the task by sub-contracting the task to another facility or make arrangements to acquire the necessary resources and/or operators at a future time.) The operator skills needed to perform tasks appear in the skills table 512 and have an association with the individual template records in table 51 1 specified by the relationship 562, which those skilled in the art will recognize as a many -to-many relationship, but here without the linking table explicitly being shown. Thus, the task template portion 510 of database 500 lists all the possible tasks as records in the templates table 51 1, and associates each task with (1) the corresponding kinds of audio visual programs listed in table 514, (2) the necessary resources listed in table 516, and (3) the required operator skills listed table 512.

Upon initial receipt of a work order during step 302 of FIG. 3, the work order will enter into the work order portion 520 of the database 500, initially as a record in the work orders table 521. Upon acceptance of the audio-visual program in connection with acceptance of the work order during step 304, the program undergoes storage into the storage mechanism 230 of FIG. 2. The corresponding program record created in the content table 522 will have an association with the work order record by specified by the relationships 524 and 525 and the linking table 523 (resulting in another many-to-many relationship). Content records in table 522 identify the audio-visual program or portion thereof and provide information about the program, for example, the metadata, which may include the decryption keys for encrypted programs and notes indicative of the file location (i.e., which file in the content storage mechanism 230 of FIG. 2 corresponds to this program). Further, the content records in the table 532 allow access to the audio-visual program or portion thereof and the setting of one or more flags to indicate whether the file is complete (as the record in table 522 may exist before the program has been ingested, or before the ingest completes).

The operations scheduling server 159 of FIGS. 1 and 2 work order into tasks, the jobs.

During this process, the portion 540 of database 500 of FIG. 5 registers each task as a job record in the jobs table 541. The Administrator's table 530 will record the administrator's (and/or automatic processes) having access to the system 200. The entries in this table have an association with the records of the jobs they create specified by the relationship 551. Each job record in 541 has a task kind identified that identifies the nature of the job. An association exists between an audio-visual program or portion thereof and each job as specified by the relationship 553 between the records in the content table 542 and the records in the job content file 542. An association also exists between the role of the audio-visual program in the job and the corresponding template record in table 514 as specified by the relationship 544.

Thus, for each job, the operations scheduling server 159 of FIGS. 1 and 2 will identify every required audio-visual program or portion thereof, including the particular use of that program or portion thereof (i.e., the role of the program, as described by the template in the table 51 1 and the template content records, if any, in table 514. Note that the audio-visual program or portion thereof recorded in the content table 522 might find application in more than one job, and might serve more than one purpose in a given job. Each record in job content table 542 corresponds exactly to (1) one content record in the table 522, (2) one job in table 541, and, (3) one content role as specified by a template content record in the table 514. However, a job or a template can relate to multiple audio-visual programs, and a program might find use more than once.

The job content table 542 does not strictly list source audio-visual programs or portions thereof. After creation of an audio-visual program or portion thereof during performance of a task, the resulting program will undergo storage in the storage mechanism 230 (or other storage device). The created audio-visual program becomes associated with the job and the program role is recorded in a job content record in table 542, but here the flag will designate the program as a "result" rather than as a "source" program.

In some embodiments, creation of records representing the "result" program may occur at the time of creating the job, with the corresponding "complete flag" status indicator in content table 522 set to false (i.e., not complete). Later, after completion of the job, the status will now indicate job completion. Note that creating the records for audio-visual programs or portions thereof that result from a job in advance of the task completion allows for creation of job records for subsequent tasks dependent upon yet-to-be-created audio-visual programs or portions thereof. However, after creation of the audio-visual program or portion thereof, the dependency becomes satisfied, enabling release of the latter task into the job queue 150.

After pulling a queued job from the job queue 350 during step 403 of FIG. 4, priority and schedule information from the table 541 can assist in determining which jobs get pulled in preference to others. During evaluation of the constraints associated with a pulled job, the operations scheduling server 159 can determine the required resource kinds recorded in table 516 in accordance with the relations 554, 563, and 566, and the linking table 513, all of FIG. 5. The resources in table 515 of the matching kind, as determined by the relationship 565 and having a status of "available," represent candidates for consideration. When a collection of resources matches all of the template's resource kind requirements, then the operations scheduling server 159 of FIGS. 1 and 2 will deem the necessary resources "available." Similarly, for the current operator, there will exist a corresponding operator record in the operator table 531 listing that operator's skills via the relationship 558. If the operations scheduling server 159 determines that these skills correspond to those required for the scheduled tasks (denoted by the relationship 562), then operations scheduling server will deem the operator as having the required skills. Other constraints that can undergo checking during step 404 include the current time 262 and the expected task duration (as obtained from the template description for the task record in the table 511) and comparing the task duration with the operator's schedule (as obtained from the operator record in table 531). Once the operations scheduling server 159 determines: (1) the availability of the audio-visual program for a job, (2) the availability of devices and/or locations meeting task requirements, and (3) the availability of operator(s) having the necessary skills, then the operations scheduling server can assign the job during step 405 of FIG. 4. After assigning the job during step 405, step 406 undergoes execution at which time the operations scheduling server 159 sets the status of the selected resource(s) to "busy" and now associates the resources with the job through the relationships 557 and 545, and the linking table 543. The operations scheduling server 159 will set the expected utilization for those resources to an expected completion time based on the expected duration of the task as obtained from the template description in the table 51 1 associated with the job.

Once the operations scheduling server 159 has allocated the pertinent resources, the operations scheduling server will use the "resource address" field of the resource record in the table 515 to configure the KVM switch 157 and the A/V router 158 if FIG. 1 appropriately. For example, when the media processor 154 gets allocated to a job, the "resource address" will indicate that the operator's terminal should connect to this media processor via KVM switch 157. Depending on the room in the post-production facility allocated for the job, the "resource address" for the room will designate which of terminals 124, 134, and 144 becomes the operator's terminal and thus eligible to connect through the KVM switch 157 to other devices, thereby providing the complete configuration information for the KVM switch 157 for this job. Further, the "resource address" for the media processor 154 of FIGS. 1 and 2 will indicate the input of the A/V router 158 of FIG. 1 to accept the output signals from the media processor 154. The allocated room's "resource address" might further indicate the corresponding output port of the A/V video router 158 corresponding to the media display, thereby providing complete configuration information for the A/V router for this job.

Upon task completion, the operations scheduling server 159 will set the corresponding job status in the table 541 to "complete", allowing release of the resources associated with the job as indicated by the linking records in the table 543 (i.e., the operations scheduling server sets the status of these resources to "available.") Additionally, the operations scheduling server 159 sets the status of the resulting program or portion thereof to "complete" and/or updates the audio-visual program or portion thereof. For example, if a task required performing a quality check of a certain audio-visual program, and the program passes the quality check, then the operations scheduling server 159 will update the metadata for that program to indicate the program passed a quality check. Thus, a quality check constitutes an example of a task that has a source program, but no result program, other than updating of the metadata for the source program. If the source audio-visual program failed the quality check, the operations scheduling server 159 will update the metadata to indicate that failure. Under such circumstances, a benefit exists in updating of the status of the program to indicate that while the program is "complete," no further use of the program should occur. For this reason, the operations scheduling server 159 could set the program status as "complete - failed QC" and generate a warning to the appropriate operator or administrator for special handling.

At any time, an administrator, once authenticated, can access a report on the status of work orders, jobs, resources, media, operators, etc. Further, the administrator can access reports on unsatisfiable task templates (because of insufficient resources or insufficient skills) or alerts. Further, an administrator can research the resources kinds or skills rare enough to cause frequent job allocation delays. Regressing actual job durations (not shown) against media size (i.e., number of frames, etc.) can improve expected utilization computations.

Further, the specific template record can refine the portion of the template description that describes the expected utilization.

After job completion, the operations scheduling server 159, can command the A/V router 158 and KVM switch 157 to drop the connections made in response to step 408 as part of the resources released during step 410. Thus, the A/V router 158 and KVM switch 157 will no longer route output of the media processor 154 to the media display in the allocated room. Further, the operator terminal of that room will no longer enjoy a connection to the media processor 154 of FIGS. 1 and 2.

In some embodiments, certain optimizations can occur. For example, the system 200 of FIG. 2 can allocate a series of jobs to multiple operators, each of which can utilize at least some of the same devices. Under such circumstances, the operations scheduling server 159 might not fully release the devices (potentially making them available for jobs pulled by other operators), and instead give the present operator priority on those devices for an interval of time. Giving the operator priority can reduce "churn," where the operator must move from room to room to have access to essentially interchangeable resources.

The technique of the present principles for handling audio-visual programs or portions thereof advantageously limits operator access to only the devices and audio-visual program(s) or portions thereof prescribed by a single allocated job. The operator cannot use the resources at other times. Even while resources remain available, an operator cannot freely browse unspecified audio-visual programs or portions thereof, thereby improving the security of post- production facility 100.