When I read regulatory documents I always try to imagine what possible reason can there be for someone to write a regulation and what may have been the real world case(s) that will be prevented by that text.
Sometimes it is clear that a text not only is intended to have specific consequences, but also is based on real historic situations that went bad for the community… because the regulation was not in place. Anybody with more than 5 years in programming and system management can clearly see the root cause for almost each and every item in 21 CFR 11 .
21 CFR 11.10(a): Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
This imposition must derive from situations where the regulated company said that the “software” was bought as it was, in full confidence that the sellers promises of quality and fulfillment of the regulatory requirements, were true.
Many times the promises may even have been made in good faith but if an audit shows that the software product does not fill the requirements, does not impede irregular situations, etc… then the regulated company is at fault of not doing due diligence during the procurement process.
21 CFR 11.10(A) requires that regulated companies perform due diligence when contracting a piece of software for purposes that are regulated. And the due diligence, albeit Validation can mean many different things, simply means that the regulated company should draw a set of requirements and that it should verify and document that the contracted software fulfills the requirements.
Most of the FDA documents regarding Electronic records are just codified common sense, like: “[…] we believe it would not be prudent to store both primary and backup electronic records
on the same computer hard drive because both could be lost if the hard drive fails.” Draft of “Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures; Maintenance of Electronic Records”
Does this mean that “Backups must not reside on the same Infrastructure as the original backed up data” should go into the Requirement Specification? Yes. As a requirement of 21 CFR 11? If that is the way to get the requirement in there. But it should be in the specification because it is common sense.