We have the same solution in our (regulated) lab.
Shared Windows-login and individual login to Chromeleon. We are thinking of removing the Windows-login completely since it makes no sense. The computers have no internet access or access to any servers (except the Chromeleon server)
Would this be questioned by the authorities? I am not an IT person, is there another way to solve this?
We have two HPLCs / computer so two persons must be able to use each computer
It will be questioned by the regulators. But, every company is different. It is a good idea to have documented justification (risk assessment, etc) on the reason you are not enforcing person specific access control for that workstation if it is used for GxP activities. I think the workstation including the OS is part of the computerized system. For us, we found that the risk of non-complaint outweigh the convenience.
I am not familiar with the Chromeleon CDS, is it technologically impossible to open a second session on a separate Windows account while the data acquisition session is running under a locked Windows account?
Here are few of the risks for my company;
1) Operator often forgot to manually lock the CDS session. If two similar looking CDS sessions open side by side, operators may access the wrong session (un)intentionally before the automatic lock is triggered. Person specific Windows login will not eliminate this problem, but will significantly reduce the risk.
2) Windows Auditing Logs in the workstation is not attributable. We retain Windows Audit log to reconstruct events, detect and investigate problems. With shared login, the audit trails are not attributable.
3) A person specific Windows login reduces the risk of unauthorized access by adding a second layer of protection.