Common Questions to Capture NFRs
Non-functional requirements are global constraints, often known as software qualities or just the “ilities”. For example, development costs, operational costs, performance, reliability, maintainability, portability, etc.
All quality measures are relative and generally, we say A quality is better than B but it is hard to say how much better, so consider all qualities of a system and given NFRs while designing the system.
NFRs are hard to model and hard to make them as measurable requirements. If these are stated informally then:
- Often leads to contradictory situations
- Difficult to enforce during development
- And, difficult to evaluate for the customer before delivery.
Take the help from below mentioned examples and questions:
Security
- Requirements related to authentication and authorizations.
- Who can do what?
- Who can access to the system?
- Create Roles and Permissions Matrix
-
Login related requirements like
- Users must change the initially assigned login password immediately after the first successful login
- User should provide the OTP while providing user credentials
- MFA authentication is mandatory for admin or all users
- SAML based Single Sign-On (SSO)
- Password related requirements
- Inactivity timeouts
- Duration, actions and traceability
- Information related security:
- What are the sensitive data which needs to be protected? This can be understand by data classification.
- Is there any approval is required from any team?
- Which type of encryption will be used and at what level?
- System data needs to be backed up every x hours.
Usability
- User Standards (Style guide)
- Globalization/localization requirements
- Target devices and users
- Efficiency of use: how quickly or accurately the user can use the product?
Maintainability, Reusability
- What type of development pattern to be used like ATDD or TDD or not? Sometimes, normal development is considered without automated unit testing however TDD is the recommended one from maintainability standpoint.
- Which code analysis tool(s) can be used to identify the redundant code and to verify the code to check its maintainability index?
- What will be the review strategy and process?
- Conformance to defined technical guidelines, standards, or best practices. Is there any standards/best practices/coding standards or guidelines prepared by existing architecture or COE team which has to be followed?
Performance and scalability
- What are the min and max number of actual/expected concurrent users?
- What is the peak load time of the system? How many users accessing the system in peak load time?
- How many user are visiting the application in 24 hours?
- What are the performance goal to decide that the system is ready for go-live or not?
- Response time: For each business functions and pages.
- User Load: min and max numbers of concurrent users
- Transaction Rate: min numbers of transactions per seconds
- Hardware Resource Utilization: CPU utilization, Disk utilization, Memory utilization, etc. For example, CPU resource utilization on production server should not exceed 70%.
- Expected throughput of the system: For example, 1000 transactions per seconds.
- What is the system or query response times? What are the transaction rates of each business process?
- Throughput: How many transactions will be handled by the system?
- Storage: Baseline and target data volume
- Expected Growth: Year on year growth requirements like number of users, transaction processing, data volume.
- What is the required capacity in terms of memory, disk space, and data volumes?
- What is the current capacity of available production server(s)?
- How much load a server can handle?
- Can it be scaled or not? If yes, then how?
- How many processes or threads is the server configured to handle?
- What is the configuration and capabilities of database server(s).
- Is database server shared with other applications/systems?
- Which specific hardware configuration provide the best performance for the identified technologies or tools?
- How many servers are required to support the system?
- Are there any shared production resources?
- Is the LAN or WAN system dedicated or shared with other applications/resources?
- What type of load balancing scheme is used (Round robin, sticky IP, least connection, subnet based)? What is the failover configuration?
- Which load balancer will be used and available?
- What is the maintenance schedule of all involved server and load balancer?
- Can a server be removed without compromising the performance?
- What type of performance testing needs to be performed?
- Load testing: It is done to test the application’s ability to perform under anticipated user loads.
- Stress Testing: It involves testing an application under extreme workloads to see how it handles high traffic or data processing. The objective is to identify the breaking point of an application.
- Endurance testing: It is done to make sure the software can handle the expected load over a long period of time.
- Spike testing: This tests the software’s reaction when there is a sudden large spikes in the load generated by users.
- Volume testing: It is done to test the behavior of the system when data volume is high.
- Scalability testing: The objective of scalability testing is to determine the software application’s effectiveness to support an increase in user load.
- What testing tools are available?
- Which environment will be used to perform performance testing? Will it be exactly similar to Production or not?
Availability
- What will be the hours of operations?
- What would be the locations of operations?
- When is the best time to schedule downtime or maintenance?
- What notification do the users need when system is going down for maintenance? How much advance notice should they receive?
- Any Plan to handle infrastructure issues or any unexpected failures?
- What will be backup and recovery plan for the system?
- What will be the strategy and plan to deal with access or unexpected load?
- How to deal with DoS (Denial of Service) attack?
Reliability
- System must have less than 1 hour downtime per three months.
- Mean time to failure: what is the acceptable down-time?
- Mean time to recovery: If failure happened then how much time is acceptable to recover the system?
Recoverability
- Recovery process
- Recovery Point Objectives (RPO)
- Recovery Time Objectives (RTO)
Manageability
- Who will perform the system upgrade and how?
- What will be logging, monitoring and configuration strategies?
- How to troubleshoot the system?
- What type of logging information needs to be logged?
- Where to store the logging information?
- How to view the logging information, any tools is available?
- What type of information need to be monitored?
- Performance stats
- Infrastructure or Networking stats
- Resource Monitoring
- Security Monitoring
- Errors and exceptions
- Financial transaction are secure and accurate or not.
Audit/Traceability
- Which type of data needs to be audited?
- What type of transactions needs to be traced?
- Logging information and details.
Environmental
- Target environments: Can the system be installed in a different environment (for instance, on a Mac and a PC) and in different geographies and different locations?
- What operating environment will be considered?
- Environment related details, information related to all types of environment where the system will be used.
Interoperability
- List of impacted system?
- Have the changes been discussed with other teams who are using or going to use the component/service?
- What is the plan to take the sign-off from other teams stakeholders?
- How to define contracts and share it with other teams, any specific tool and shared repository?
Documentation
- What type of documents are required?
- User guide
- Technical guide
- System document
- Training document
Deployment
- Can CI and CD be used? What type of tools are required for CI and CD?
- How to maintain source code (branching and versioning) so that new features can be introduced and defects can be fixed easily?
- What will be the deployment plan having deployment scope, approach and execution?
- What will be the deployment approach like Blue/green or Canary?
Compliance
-
Requirement related to compliance.
- Legal compliance requirement
- Standards compliance requirement
- Requirement related to SLA