I have had a similar situation with XRD instruments.
A few questions are in order before we can give you advice.
You say that access is limited to the instrument. Is the computer
networked (e.g. use of a directory services for authentication)? Are you
running a variation of MS Windows NT (4 thru Vista)?
If yes, you have the potential for physical (Card Access) and logical
security (Access Controls). This gets you part way to subpart B 11.10c.
The second part of 11.10c is data protection. SOPs are great, but how can
you demonstrate compliance? If I were auditing you, this would be a
central point in my inspection.
Most XRD instrument software is written without security controls available
(as you have pointed out). One way I have dealt with this issue is to use a
software system (Waters SDMS or Agilent ECM) to capture raw and meta data
generated by the instrument without overwriting the data with each
instrument session. Besides a pseudo audit trail (who and when, but not a
detailed what changed), this system allows access to data at your business
pc (rather than just the lab pc).
One other fundamental issue with Part 11 is that the system must be
validated. This includes both the hardware and software parts of the
system. I am assuming that you are in the process for this activity and
this why you are asking the question.
There are other more convoluted and labor intensive ways around this issue
that are completely dependent on your environment and the number of warm
bodies available to insure compliance with Part 11.
The SDMS or ECM solution is not perfect. These systems require constant
feeding (maintenance, change management, etc.) and are quite expensive.
They do give benefits over and above compliance however and are well worth a
look if your needs are more than just a few instruments.
As is usual in these matters, there are no simple answers. It would help if
more instrument vendors gave us compliant software to work with, but without
demand, we have no hope on this issue.
I hope that this helps.