Non-Functional Requirements
Non-Functional Requirements (NFR): {{PROJECT_NAME}}
Project: {{PROJECT_NAME}}
Version: {{VERSION}}
Date: {{DATE}}
Author: {{AUTHOR}}
Status: Draft | In Review | Approved
Reviewers: {{REVIEWERS}}
Document History
| Version |
Date |
Author |
Changes |
| 0.1 |
{{DATE}} |
{{AUTHOR}} |
Initial draft |
1. NFR Overview
| Category |
# Requirements |
Highest Priority |
Owner |
| Performance |
{{COUNT}} |
{{HIGH/MED/LOW}} |
Tech Lead |
| Scalability |
{{COUNT}} |
|
Tech Lead / DevOps |
| Availability |
{{COUNT}} |
|
DevOps |
| Security |
{{COUNT}} |
Critical |
Tech Lead + Security |
| Reliability |
{{COUNT}} |
|
Tech Lead / DevOps |
| Usability |
{{COUNT}} |
|
Designer |
| Compatibility |
{{COUNT}} |
|
Tech Lead |
| Maintainability |
{{COUNT}} |
|
Tech Lead |
| Compliance |
{{COUNT}} |
|
Tech Lead + Legal |
| Data |
{{COUNT}} |
|
Tech Lead |
| ID |
Requirement |
Metric |
Target |
Measurement Conditions |
Measurement Method |
Priority |
| NFR-P01 |
Page load time (initial) |
Time to Interactive |
< 3 seconds |
4G connection, cold cache |
Lighthouse / WebPageTest |
Must Have |
| NFR-P02 |
Page load time (subsequent) |
Time to Interactive |
< 1.5 seconds |
Warm cache |
Lighthouse |
Must Have |
| NFR-P03 |
API response time (standard) |
p95 response time |
< 500ms |
Normal load ({{CONCURRENT_USERS}} users) |
APM tool / k6 |
Must Have |
| NFR-P04 |
API response time (complex queries) |
p95 response time |
< 2 seconds |
Normal load |
APM tool |
Should Have |
| NFR-P05 |
Database query time |
p95 query time |
< 100ms |
Normal load |
DB monitoring |
Must Have |
| NFR-P06 |
File upload throughput |
Upload speed |
{{SIZE}}MB in < {{TIME}}s |
Single user |
Load testing |
{{PRIORITY}} |
| NFR-P07 |
Search response time |
p95 response time |
< 1 second |
Normal load |
APM tool |
Should Have |
| NFR-P08 |
Report generation |
Completion time |
< {{TIME}} seconds |
Normal load |
APM tool |
Could Have |
| NFR-P09 |
Core Web Vitals: LCP |
Largest Contentful Paint |
< 2.5 seconds |
Mobile, 4G |
Lighthouse |
Must Have |
| NFR-P10 |
Core Web Vitals: CLS |
Cumulative Layout Shift |
< 0.1 |
Any device |
Lighthouse |
Must Have |
3. Scalability Requirements
| ID |
Requirement |
Metric |
Launch Target |
12-Month Target |
Measurement Method |
Priority |
| NFR-S01 |
Concurrent users |
Simultaneous active sessions |
{{X}} users |
{{X}} users |
Load testing (k6/JMeter) |
Must Have |
| NFR-S02 |
Peak load handling |
Requests per second |
{{X}} RPS |
{{X}} RPS |
Load testing |
Must Have |
| NFR-S03 |
Data volume growth |
Database size growth |
{{X}}GB/year |
{{X}}GB/year |
Storage monitoring |
Should Have |
| NFR-S04 |
API rate limits |
Max requests per user/hour |
{{X}} requests |
{{X}} requests |
API gateway metrics |
Must Have |
| NFR-S05 |
File storage growth |
Storage volume |
{{X}}GB |
{{X}}GB |
Storage monitoring |
Should Have |
| NFR-S06 |
Auto-scaling response |
Time to scale out under load |
< 2 minutes |
< 2 minutes |
Cloud console metrics |
Should Have |
| NFR-S07 |
Geographic distribution |
Regions supported |
{{REGIONS}} |
{{REGIONS}} |
CDN configuration |
{{PRIORITY}} |
4. Availability Requirements
| ID |
Requirement |
Target |
Measurement Period |
Exclusions |
Priority |
| NFR-A01 |
System uptime SLA |
≥ {{99.5 / 99.9}}% |
Monthly rolling |
Scheduled maintenance |
Must Have |
| NFR-A02 |
Scheduled maintenance window |
Max {{X}} hours/month |
Monthly |
{{PREFERRED_WINDOW}} |
Must Have |
| NFR-A03 |
Maintenance notification lead time |
≥ 48 hours notice |
Per event |
Emergency patches: 4 hours |
Must Have |
| NFR-A04 |
RPO (Recovery Point Objective) |
Max {{X}} hours data loss |
Per incident |
N/A |
Must Have |
| NFR-A05 |
RTO (Recovery Time Objective) |
System restored within {{X}} hours |
Per incident |
N/A |
Must Have |
| NFR-A06 |
Database backup frequency |
Every {{X}} hours |
Ongoing |
N/A |
Must Have |
| NFR-A07 |
Backup retention |
{{X}} days rolling |
Ongoing |
N/A |
Must Have |
| NFR-A08 |
Disaster recovery test |
Pass DR drill |
Annually |
N/A |
Should Have |
SLA Calculation Reference:
| Uptime % |
Annual Downtime |
Monthly Downtime |
| 99.9% |
8.7 hours |
43.8 minutes |
| 99.5% |
43.8 hours |
3.6 hours |
| 99.0% |
87.6 hours |
7.3 hours |
5. Security Requirements
| ID |
Requirement |
Category |
Target / Standard |
Measurement Method |
Priority |
| NFR-SEC01 |
Authentication method |
Auth |
{{JWT/OAuth2/OIDC}} + MFA optional |
Code review + pentest |
Must Have |
| NFR-SEC02 |
Password policy |
Auth |
Min 8 chars, 1 uppercase, 1 number, 1 special |
Automated test |
Must Have |
| NFR-SEC03 |
Session management |
Auth |
Timeout: 30min idle; absolute: 8 hours |
Automated test |
Must Have |
| NFR-SEC04 |
Data encryption in transit |
Encryption |
TLS 1.3 minimum |
SSL Labs scan (grade A+) |
Must Have |
| NFR-SEC05 |
Data encryption at rest |
Encryption |
AES-256 for PII; database encryption |
Infrastructure review |
Must Have |
| NFR-SEC06 |
Input validation |
Injection Prevention |
All inputs sanitized server-side; parameterized queries |
Code review + SAST |
Must Have |
| NFR-SEC07 |
XSS prevention |
Injection Prevention |
CSP headers; output encoding |
OWASP ZAP / DAST |
Must Have |
| NFR-SEC08 |
CSRF protection |
Injection Prevention |
CSRF tokens on all state-changing requests |
Code review |
Must Have |
| NFR-SEC09 |
Rate limiting |
DDoS/Abuse |
API: {{X}} req/min per IP; login: 5 attempts/15min |
Load testing |
Must Have |
| NFR-SEC10 |
Audit logging |
Compliance |
All auth events, data mutations logged with user + timestamp |
Log review |
Must Have |
| NFR-SEC11 |
Dependency security |
Supply Chain |
No known critical CVEs in dependencies |
Automated scan (Snyk/Dependabot) |
Must Have |
| NFR-SEC12 |
Secret management |
Secrets |
No secrets in code/git; use env vars or vault |
Code scan + git history check |
Must Have |
| NFR-SEC13 |
Role-based access control |
Authorization |
Principle of least privilege; no role escalation |
Code review + penetration test |
Must Have |
| NFR-SEC14 |
Security headers |
HTTP Security |
HSTS, X-Frame-Options, X-Content-Type-Options |
securityheaders.com scan |
Must Have |
| NFR-SEC15 |
Vulnerability scanning |
Operations |
Automated scan in CI; critical issues block deploy |
CI pipeline |
Should Have |
| NFR-SEC16 |
Penetration testing |
Operations |
Annual external pentest |
Third-party report |
Should Have |
6. Reliability Requirements
| ID |
Requirement |
Metric |
Target |
Measurement Method |
Priority |
| NFR-R01 |
Application error rate |
5xx errors / total requests |
< 0.1% |
APM monitoring |
Must Have |
| NFR-R02 |
Client-side error rate |
JS errors per session |
< 1% of sessions |
Error tracking (Sentry) |
Should Have |
| NFR-R03 |
MTBF (Mean Time Between Failures) |
Average time between incidents |
> {{X}} days |
Incident tracking |
Should Have |
| NFR-R04 |
MTTR (Mean Time To Recovery) |
Average time to restore service |
< {{X}} hours |
Incident tracking |
Must Have |
| NFR-R05 |
Data integrity |
Zero data corruption events |
0 incidents |
Database integrity checks |
Must Have |
| NFR-R06 |
Transaction integrity |
Atomic transactions |
ACID compliance |
Database tests |
Must Have |
| NFR-R07 |
Graceful degradation |
Partial failure handling |
Non-critical features fail gracefully; core stays up |
Chaos testing |
Should Have |
| NFR-R08 |
Health check endpoint |
System health observable |
/health returns 200 when healthy |
Monitoring |
Must Have |
7. Usability Requirements
| ID |
Requirement |
Target |
Measurement Method |
Priority |
| NFR-U01 |
Time to complete core task |
New user completes {{KEY_TASK}} in < {{X}} minutes |
Usability testing |
Must Have |
| NFR-U02 |
Error recovery |
User can recover from any error without help |
Usability testing |
Must Have |
| NFR-U03 |
WCAG compliance |
WCAG 2.1 Level AA |
Automated axe-core + manual review |
Must Have |
| NFR-U04 |
Keyboard navigation |
All interactive elements reachable by keyboard |
Manual testing |
Must Have |
| NFR-U05 |
Screen reader support |
Compatible with NVDA / VoiceOver |
Manual testing |
Should Have |
| NFR-U06 |
Mobile responsiveness |
Fully functional on 375px–1440px width |
Manual + automated |
Must Have |
| NFR-U07 |
Color contrast |
≥ 4.5:1 for normal text; ≥ 3:1 for large text |
Contrast checker |
Must Have |
| NFR-U08 |
Onboarding completion |
{{X}}% of new users complete onboarding |
Analytics |
Should Have |
| NFR-U09 |
Help / documentation |
All key features documented in-app or in help center |
Content audit |
Should Have |
8. Compatibility Requirements
| ID |
Requirement |
Category |
Target |
Priority |
| NFR-C01 |
Web browsers |
Browser |
Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ |
Must Have |
| NFR-C02 |
Mobile browsers |
Browser |
Safari iOS 15+, Chrome Android 100+ |
Must Have |
| NFR-C03 |
Mobile operating systems |
OS |
iOS 15+, Android 11+ |
Must Have |
| NFR-C04 |
Desktop operating systems |
OS |
Windows 10+, macOS 12+, Ubuntu 20.04+ |
Must Have |
| NFR-C05 |
Screen resolutions |
Responsive |
375px to 2560px width |
Must Have |
| NFR-C06 |
Minimum device specs |
Performance |
Works on mid-range 2020+ devices |
Should Have |
| NFR-C07 |
Third-party integrations |
API |
{{EXTERNAL_SYSTEM}} API version {{VERSION}} |
Must Have |
| NFR-C08 |
Email clients |
Email |
Gmail, Outlook, Apple Mail, mobile clients |
Should Have |
9. Maintainability Requirements
| ID |
Requirement |
Metric |
Target |
Measurement Method |
Priority |
| NFR-M01 |
Test coverage |
% of code covered by automated tests |
≥ 80% overall; ≥ 95% for critical paths |
CI coverage report |
Must Have |
| NFR-M02 |
Code documentation |
% of public APIs documented |
100% of public APIs |
Code review |
Must Have |
| NFR-M03 |
Cyclomatic complexity |
Per-function complexity |
Max 10 per function; refactor if exceeded |
Static analysis (SonarQube) |
Should Have |
| NFR-M04 |
Dependency currency |
% of dependencies on current major version |
≥ 80% current; 0 dependencies with critical CVEs |
Automated scan |
Should Have |
| NFR-M05 |
Deployment frequency |
Time to deploy a bug fix to production |
< 1 hour from merge |
CI/CD metrics |
Should Have |
| NFR-M06 |
Feature flag support |
Ability to disable features without deploy |
Available for all major features |
Code review |
Could Have |
| NFR-M07 |
Logging completeness |
Log coverage for operations |
All external calls, errors, and user mutations logged |
Log review |
Must Have |
| NFR-M08 |
Monitoring observability |
Dashboards for key metrics |
Dashboards for error rate, response time, uptime |
Monitoring tool |
Must Have |
10. Compliance Requirements
| ID |
Regulation |
Applicability |
Requirement |
Technical Implementation |
Priority |
| NFR-COMP01 |
GDPR |
{{YES — if handling EU personal data}} |
Lawful basis for processing; right to deletion; DPA required; breach notification within 72h |
User data deletion API; audit logs; DPA in place |
Must Have |
| NFR-COMP02 |
GDPR — Cookie consent |
{{YES — if using tracking cookies}} |
Explicit consent before non-essential cookies |
Cookie consent banner; opt-in only tracking |
Must Have |
| NFR-COMP03 |
GDPR — Data minimization |
Yes |
Collect only data necessary for stated purpose |
BA review of data model |
Must Have |
| NFR-COMP04 |
{{HIPAA}} |
{{YES/NO — healthcare data}} |
PHI protection; audit logs; BAA required |
Role-based access; encrypted PHI fields |
{{PRIORITY}} |
| NFR-COMP05 |
{{PCI-DSS}} |
{{YES/NO — payment card data}} |
SAQ compliance; tokenization; no card storage |
Stripe/payment gateway tokenization |
{{PRIORITY}} |
| NFR-COMP06 |
Norwegian Personvernloven |
{{YES}} |
Alignment with GDPR national implementation |
Legal review |
Must Have |
| NFR-COMP07 |
WCAG 2.1 AA |
{{YES}} |
Digital accessibility |
NFR-U01 to NFR-U07 |
Must Have |
11. Data Requirements
| ID |
Requirement |
Category |
Target |
Implementation |
Priority |
| NFR-D01 |
Data retention — user data |
Retention |
{{X}} years active; deleted within 30 days of account deletion request |
Scheduled deletion job |
Must Have |
| NFR-D02 |
Data retention — logs |
Retention |
Application logs: 90 days; Audit logs: 3 years |
Log rotation policy |
Must Have |
| NFR-D03 |
Database backup frequency |
Backup |
Full backup daily; transaction logs every {{X}} hours |
Automated backup schedule |
Must Have |
| NFR-D04 |
Backup encryption |
Backup |
Backups encrypted with AES-256 |
Infrastructure config |
Must Have |
| NFR-D05 |
Data integrity checks |
Integrity |
Database constraints; no orphaned records |
DB schema + integration tests |
Must Have |
| NFR-D06 |
PII identification |
Privacy |
All PII fields identified and documented |
Data dictionary |
Must Have |
| NFR-D07 |
Data export |
Portability |
User can export their data in machine-readable format (GDPR Article 20) |
Export API endpoint |
Must Have |
| NFR-D08 |
Data anonymization |
Privacy |
Anonymize user data in non-production environments |
Dev/staging data scripts |
Must Have |
| NFR-D09 |
Archival strategy |
Retention |
Data older than {{X}} years archived to cold storage |
Archive schedule |
Should Have |
12. NFR Testing & Verification Plan
| NFR Category |
Testing Method |
Tools |
Frequency |
Pass Criteria |
| Performance |
Load testing |
k6, JMeter, Lighthouse |
Pre-launch + monthly |
All NFR-P targets met |
| Scalability |
Stress testing |
k6 |
Pre-launch |
System gracefully handles 2× peak load |
| Security |
SAST + DAST + Pentest |
Snyk, OWASP ZAP, external pentest |
CI (SAST), Pre-launch (DAST+Pentest), Annual |
No critical/high vulnerabilities unresolved |
| Accessibility |
Automated + manual |
axe-core, manual screen reader |
Per sprint |
WCAG 2.1 AA |
| Availability |
Monitoring + DR drill |
Uptime monitor |
Ongoing + annual |
SLA targets met |
| Compliance |
Legal review + audit |
Manual + automated |
Pre-launch + annual |
All compliance items verified |
Approval
| Role |
Name |
Date |
Signature |
| Author |
|
|
|
| Reviewer |
|
|
|
| Tech Lead |
|
|
|
| Business Analyst |
|
|
|
| Product Owner |
|
|
|
| AI Director (John) |
|
|
|
| Client Representative |
|
|
|
No comments to display
No comments to display