3 - Three Failures, one response.
Between Randox in 2017 and what happened next, the system was tested twice more. Different providers. Different failures. Same response.
Previously, I set out what the system built after Randox. Mandatory notification to the Regulator. Declarations of compliance in expert reports. Disclosure obligations under the Criminal Procedure and Investigations Act 1996. A statutory Code of Practice with teeth. That framework exists because 10,000 cases were affected and the system decided it could not afford to be caught off guard again.
The question is whether the framework actually worked. Between 2019 and 2021, two more incidents publicly tested it. Neither involved deliberate data manipulation. Neither looked anything like Randox. But in both cases, the reliability of forensic evidence provided to the criminal justice system was called into question.
Eurofins: When the Lights Went Out
In June 2019, Eurofins Forensic Services was hit by a ransomware attack. Eurofins was not a small operation. It was one of the largest private forensic science providers in England and Wales, handling around 70,000 criminal investigations a year.1 At the time, roughly half of all outsourced forensic work passed through its laboratories.
The attack shut everything down. All casework at Eurofins stopped for approximately seven weeks.2 Court hearings were postponed because analysis results were unavailable.
The government did not wait for Eurofins to recover. They suspended all submissions to the company and moved live casework to other accredited providers. The NPCC coordinated the national response, working with remaining providers to absorb the displaced work. It was disruptive, it stretched capacity across the sector, and it caused delays. But the principle was established, if a provider cannot demonstrate that its systems are reliable or safe to submit samples from the criminal justice system, you do not keep sending it work. You move the work to some other laboratory who can.
Nobody at Eurofins had manipulated data. Nobody had committed malpractice. Nobody had failed an accreditation assessment. But the consequences for the criminal justice system were immediate and severe.
The Forensic Science Regulator classified it as a “severe risk” referral. To put that in context, the Regulator’s 2019 annual report includes a table tracking referrals over the previous five years. In the period from November 2014 to November 2019, covering hundreds of referrals, there was exactly one classified as “severe risk.” This was it.
The response was substantial. The National Crime Agency took operational command of the criminal investigation. The National Cyber Security Centre deployed specialist officers. UKAS and the Forensic Regulator coordinated the response with Eurofins and police forces nationally. The Regulator subsequently worked with the NCSC to develop new cyber security requirements for inclusion in the Code of Practice.
The Regulator’s 2019 annual report explained the wider significance. The attack, it said,
“gave a glimpse of the impact that losing a major broad-spectrum supplier of forensic science would have on the Criminal Justice System.”
The Regulator was flagging a structural vulnerability in the entire system. The forensic science market in England and Wales depends on a small number of large providers. Lose one, and the system buckles.
But it also shows that the threshold for referring something to the Regulator was never limited to human error, bad science or bad actors. The threshold was simply something has happened that could affect the reliability of forensic evidence in the criminal justice system. Eurofins was referred. The system responded. Parliament was told. New requirements were written. The pattern held.
Synlab: Swift Exit
Less than eighteen months after the Eurofins attack, the system was tested again. This time it was not an external threat. It was a provider that, in the Regulator’s own assessment3, did not understand what forensic science for the criminal justice system required.
“First, in terms of commercial organisations coming into the market, when I did the review of the drugs-driving company, I saw that they had not appreciated the rigour of the criminal justice system. This is a perfectly reputable company doing toxicology analysis. It hit the criminal justice system and just did not realise the scrutiny that it would get with its results.”
Some context is necessary. The drug driving offence under section 5A of the Road Traffic Act 1988 was introduced in March 2015. It set legal limits for specified controlled drugs in blood. The analysis is quantitative, meaning it requires the laboratory to demonstrate that the concentration of a drug exceeds a specific legal threshold. That makes it technically demanding.
By 2019, the market for this analysis was under serious pressure. The three major providers had just attended the House of Lords to give evidence of their perilous financial position and the urgent need for additional funding.
The Regulator’s first statutory lessons learnt review, published in May 2024, sets out the background plainly. In 2017, suspected data manipulation at Randox Testing Services led to their accreditation being withdrawn and their withdrawal from the drug driving analysis market entirely. In 2018, Key Forensic Services went into administration, causing backlogs and caps on forensic toxicology submissions nationally. In June 2019, the Eurofins cyber-attack suspended drug driving analysis at a third provider for several weeks4.
Into this market stepped Synlab Laboratory Services.
Precisely how Synlab came to be providing forensic evidence to the criminal justice system remains somewhat of a mystery. In February 2019, the West and South Coast Forensic Procurement Consortium, a group of police forces led by Avon and Somerset Constabulary, identified Synlab as a potential provider of drug driving analysis. They worked with the Home Office’s Forensic Marketplace Management team and approached Key Forensic Services to act as prime contractor, with Synlab as subcontractor. The arrangement came into effect in April 2019.
When the Regulator later tried to understand how Synlab was identified as a suitable provider and what due diligence had been carried out, the trail went cold.
The Regulator approached the Consortium to establish how Synlab was identified as a suitable provider and the level of due diligence that was carried out as a new provider. Since the original contract and sub-contracting arrangements were put in place new contracts have been established, staff have since retired and the leadership of the Consortium has moved to Dyfed Powys Constabulary. The Regulator has not been able to access records of the decision-making process and of consideration given to risk management during this period. Assurances have been provided to the Regulator that the Consortium and the Forensic Marketplace Management Team undertook appropriate due diligence, including ensuring that Synlab had the appropriate accreditation and visited Synlab’s premises.
The Regulator could not verify the process. A provider with no experience of forensic science for the criminal justice system was brought into the market to analyse blood samples and nobody could show the Regulator how or why that decision was made.
Synlab was part of a large diagnostics group. Its core business was workplace drug and alcohol testing, not forensic toxicology for the courts. In December 2018, Synlab was granted UKAS accreditation for section 5A analysis across a wider range of drugs. Live casework began in April 2019, with Synlab operating as a subcontractor to Key Forensic Services.
In June 2019, barely two months into live casework, UKAS assessed Synlab and found problems with how quality control samples and duplicate analyses were being managed. Synlab voluntarily suspended its accreditation while it addressed the findings. UKAS reinstated the accreditation in August 2019 with a reduced scope.
Casework continued.
Over a year later, in November 2020, a defence expert reviewing data from a batch of samples analysed by Synlab identified significant issues and referred them to the Regulator. Key Forensic Services suspended all submissions to Synlab on 10 December 2020. The NPCC convened a Gold Group in January 2021 to coordinate the multi-agency response.
Between January and October 2021, further problems with Synlab’s methods were discovered. The Regulator commissioned an independent scientific review, which reported in March 2022. Its findings were stark: major weaknesses in the analytical test method, ineffective quality management, and low overall confidence in the reliability of results reported to the criminal justice system.
The Regulator concluded that “all the analysis of blood specimens undertaken by Synlab for the purpose of Section 5A Road Traffic Act 1988 cannot be considered accurate and reliable.”
Over the period from April 2019 to December 2020, Synlab analysed 4,255 blood samples. Of these, 1,778 had drug levels reported as above the legal limit. All 1,778 results were rescinded. Key Forensic Services retested 97 samples where suitable material remained. Only 15 could be confirmed as above the legal limit, not necessarily because the original results were wrong, but because the samples had likely degraded beyond the point where the drug concentration could be reliably measured.
UKAS withdrew Synlab’s accreditation in January 2023, but not just from the date the problems were confirmed. The withdrawal was retroactive, covering the entire period that Synlab had been operational for section 5A analysis.
A retroactive withdrawal of accreditation means UKAS concluded that Synlab should never have been accredited for this work. It means every case in which Synlab’s accreditation was cited as assurance of quality, in contracts, in expert reports, in court, was based on a status that turned out to be hollow. This is a question about what accreditation actually guarantees. If a provider can hold accreditation for nearly two years, process over 4,000 samples for the criminal justice system, and then have that accreditation wiped as though it never existed, the system’s primary quality assurance mechanism has a credibility problem. Accreditation is supposed to mean something. Accreditation that can be erased as though it never existed is not what you’d expect from a process that the system relies upon as its key safeguard.
Who Knew What, and When
It is tempting to present the Synlab story as a straightforward case of the system working: a problem arose, the Regulator was told, the system responded. That is true, but the full timeline tells a more uncomfortable story about what happened in the eighteen months before that.
In June 2019, just two months into live casework, UKAS assessed Synlab and found that processes for duplicate analysis and quality control samples were not being properly implemented. Synlab voluntarily suspended its accreditation. There was an agreement in place between UKAS and the non-statutory Regulator to share information about quality issues. UKAS “highlighted the suspension of accreditation to the Regulator but did not highlight any potential risks or need for regulatory action.”
It is worth considering UKAS’s position. UKAS is an accreditation body. Its role is to assess whether a laboratory meets the requirements of an international standard, in this case ISO/IEC 17025. It is not, and has never claimed to be, a risk assessor for the criminal justice system. The Regulator acknowledges that “the UKAS assessment and accreditation process was not designed to specifically look at risk to the CJS.”
In August 2019, Key Forensic Services commissioned an independent consultant to audit Synlab’s methods, “due to persistent concerns Key held.” Throughout the subcontract period, Key had been raising concerns about Synlab’s methods with Synlab and had submitted blind samples spiked with drugs that revealed problems with how Synlab was applying its acceptance criteria.
In November 2020, a defence expert reviewing analytical data from a batch of samples identified significant issues and referred them directly to the Regulator. This appears to be the first time the Regulator received a referral about the quality of Synlab’s work. Only after the defence expert’s intervention did Synlab formally notify the Regulator and UKAS, and only then did Key Forensic Services suspend submissions.
UKAS had information from June 2019. Key Forensic Services had persistent concerns but did not appear to involve the regulator. Synlab did not self-refer. Once again, just like with Randox, the system depended on a defence expert doing their job. It was only when the Regulator became aware of the risks that the full machinery of the system activated. An independent review was commissioned. A Gold Group was convened. Results were rescinded. Accreditation was withdrawn retroactively. A statutory lessons learnt review was published. The system’s response, once triggered, was thorough, decisive and made public.
The Safeguards That Failed
The Regulator was candid about the failures in the system’s own processes.
The accreditation process did not catch the problem. This matters, because the reforms introduced after Randox were specifically intended to make UKAS assessments more effective at detecting quality failures. UKAS completed a sector-wide review of all toxicology providers in 2018, prompted by the Randox data integrity issues.5 Vertical audits, following individual cases from raw data through to final report, were given increased emphasis. Synlab was granted accreditation in December 2018, after those reforms were in place. Yet the fundamental weaknesses in Synlab’s analytical method went undetected through multiple UKAS assessments until a defence expert found them.
After Randox, the entire point of reforming the assessment process was to catch problems before they reached the courts. The vertical audits were introduced for exactly that reason. Yet by the Regulator’s own account, the process was still not designed to look at risk to the criminal justice system. The safeguards built after Randox were in place. They were not enough.
The lessons learnt review also identified that the regulatory requirements for section 5A analysis were themselves incomplete, and this is worth understanding in some detail.
The specific requirements for drug driving analysis were set out in an appendix to the Regulator’s Codes known as FSR-C-133. This document specified how laboratories should approach section 5A analysis: the requirements for the analytical method, quality controls, how to handle contamination, and how to report results including the Regulator’s required uncertainty of measurement. It was developed by the Forensic Science Regulation Unit in collaboration with the Home Office, the Department for Transport, UKAS, the CPS, and providers of toxicology analysis.
FSR-C-133 was formally published as “issue 5” in December 2021. Crucially, the document had evolved from one draft to the next as part of a consultation process with stakeholders, and UKAS was already using it as part of its accreditation assessments during the period Synlab was operational. Indeed “issue 4” of this document, was dated September 2015 so many of the requirements were well known amongst all stakeholders and had been for a considerably long period. The standard was being applied in real cases. It was being used by UKAS in their assessments.
The review noted that during the period when Key Forensic Services was reviewing Synlab’s analytical data, UKAS was simultaneously developing LAB 51, a guidance document aimed at ensuring consistency across toxicology analysis. The Regulator acknowledged that this created a perception of “changing goalposts,” with UKAS, Key, and Synlab all approaching the requirements for section 5A analysis differently. But UKAS’s own position was clear. It “consider[ed] that the aim of Lab 51 was to clarify requirements that were already defined.” In other words, these were not new rules. They were existing rules of good practice being formally acknowledged as authority.
This matters because the argument that requirements were “only in draft form” during this period may be a predictable line of defence for any organisation that fails to meet them. The Regulator’s response in the Synlab case was instructive. The emerging status of FSR-C-133 and / or Lab51 did not excuse the quality failure. It did not prevent the Regulator from concluding that Synlab’s results were unreliable. It did not stop 1,778 results being rescinded. It did not prevent the Regulator from publishing a lessons learnt review holding the system to account.
The Regulator treated the evolution of published requirements as a problem to fix, not as a reason to look the other way. The statutory Code, which came into force in October 2023, incorporated FSR-C-133’s requirements directly, closing the gap between what was expected and what was formally enforceable.
Synlab itself acknowledged that it “had not appreciated the scientific rigour and scrutiny that results would be subject to within the CJS.”
What Did Work
Once the problem was identified and referred to the Regulator, the response followed the pattern established after Randox.
The Regulator was told. An independent scientific review was commissioned. An NPCC Gold Group coordinated the multi-agency response. UKAS investigated and ultimately withdrew accreditation. The prosecution service assessed affected cases. Results were rescinded. The Regulator published a detailed lessons learnt review with six specific learning points about how to do it better next time. Those learning points led to changes. Formal notification requirements when accreditation is suspended, probationary periods for new entrants, more prescriptive regulatory requirements for section 5A analysis, and a proficiency testing scheme across all providers.
The investigation spanned three Regulators. The referral arrived in November 2020, at the end of Dr Gillian Tully’s tenure. Rupert Shute served as interim Regulator from February 2021. Gary Pugh took office on 16 May 20216 and inherited the investigation, seeing it through to the December 2022 position statement and the May 2024 lessons learnt review. The machinery worked across all three.
The system was not perfect. But when it was told there was a problem, it acted. Publicly, and with accountability.
Three Tests
Between 2017 and 2021, the forensic science system in England and Wales faced three significant failures.
At Randox, staff allegedly manipulated calibration data. At Eurofins, a ransomware attack knocked out the country’s largest private forensic provider. At Synlab, a company that did not understand the demands of forensic science for the courts produced unreliable drug driving results for nearly two years.
Three different causes. Three different providers. But every time, the Regulator was informed. Every time, work was stopped at the compromised provider. Every time, the courts and the defence were told. Every time, someone was held to account, and the system tried to learn from what went wrong.
All three were private sector providers.
This post was researched with the assistance of NotebookLM.
Evidence from Gary Pugh https://committees.parliament.uk/oralevidence/16884/html/