Introduction: Non-Functional Requirements Examples and Templates
Define essential non-functional requirements examples and templates to ensure your systems perform at their best
Non-functional requirements (NFRs) are a critical aspect of system design, focusing on how a system performs rather than what it does. These include attributes such as performance, security, and usability. In this article, we explore common examples of non-functional examples and a practical template is provided to help ensure your projects meet quality standards. Understanding and documenting NFRs effectively can improve both the development process and the final product.
Examples of non-functional requirements (NFRs) are provided for different deployment types, offering a useful starting point for business analysts. While these examples cover key areas such as performance, security, and scalability, they are not exhaustive and must reviewed and validated against business need and your organisation’s ICT principles.
This checklist will assist in uncovering important NFRs and you will also find helpful examples in this glossary. It’s important to tailor NFRs to each project’s specific needs, ensuring they are comprehensive enough to guide development while reflecting the unique requirements of the deployment environment.
The priority ranking for each example requirement is suggested and should be adjusted according to your organisations needs.
COTS (Commercial Off-The-Shelf)
COTS solutions are pre-built software systems designed for general use, often with limited customisation capabilities.
Category | Requirement | Priority |
---|---|---|
Performance | Response time for critical functions must not exceed 2 seconds under normal load. | Mandatory |
COTS software must process 10,000 transactions per minute at peak loads. | Desirable | |
User interfaces must load within 3 seconds for 90% of interactions. | Desirable | |
System must integrate with existing hardware without performance degradation. | Mandatory | |
Batch processes must complete overnight (within 8 hours). | Desirable | |
Scalability | COTS software must support a 200% increase in active users over 3 years. | Desirable |
The system must support additional modules without requiring full reinstallation. | Mandatory | |
Scalability testing results must meet projected future demands. | Desirable | |
COTS systems must provide APIs for horizontal scaling. | Desirable | |
Customisation of workflows must not degrade system scalability. | Optional | |
Security | Must include role-based access control (RBAC) to secure user permissions. | Mandatory |
Encryption must protect sensitive data stored in the system. | Mandatory | |
Vendor must provide a detailed vulnerability management policy. | Mandatory | |
System must comply with industry-specific security standards (e.g., PCI DSS for payment processing). | Mandatory | |
Audit logs must capture login failures and administrative actions. | Desirable | |
Availability | COTS software must maintain 99.9% uptime as per vendor SLA. | Mandatory |
Vendor must provide automated failover mechanisms for hosted systems. | Desirable | |
Maintenance windows must not exceed 2 hours per quarter. | Mandatory | |
System downtime notifications must be sent at least 7 days in advance. | Desirable | |
COTS systems must provide hot-swappable components for critical hardware. | Optional | |
Monitoring | Vendor must provide built-in monitoring tools for system health. | Mandatory |
Monitoring dashboards must show real-time and historical data usage trends. | Desirable | |
Alerts must trigger for resource utilisation exceeding 80%. | Desirable | |
Logs must integrate with third-party monitoring systems. | Mandatory | |
Performance metrics must support export to external reporting tools. | Desirable | |
Auditability | Vendor-supplied audit logs must meet compliance regulations (e.g., GDPR). | Mandatory |
Access to audit data must support multi-level permissions. | Desirable | |
Audit logs must retain data for at least 12 months. | Mandatory | |
System must include audit trail for data imports and exports. | Desirable | |
Audit tools must provide visualisation of user activity trends. | Optional | |
Maintainability | Vendor must provide regular software updates and patches. | Mandatory |
System configuration changes must require no downtime. | Desirable | |
Training manuals must be supplied for in-house maintenance staff. | Optional | |
Documentation must include detailed APIs for customisation. | Desirable | |
Support contracts must include SLAs for resolving critical bugs within 48 hours. | Mandatory | |
Usability | Interfaces must follow accessibility standards (e.g., WCAG 2.1). | Mandatory |
User roles and workflows must be customisable for different departments. | Desirable | |
UI language must support multiple localisations. | Desirable | |
Error messages must be easily understandable by non-technical users. | Mandatory | |
Tutorials must guide end-users through major features. | Optional | |
Portability | COTS software must support migration to new hardware platforms. | Mandatory |
Data exports must follow open standards (e.g., XML, CSV). | Desirable | |
System configurations must be replicable across instances. | Desirable | |
Vendor must provide tools for migrating to upgraded versions. | Mandatory | |
Multi-platform support (e.g., Linux, Windows) must be available. | Desirable |
Cloud
Cloud deployments leverage infrastructure, platforms, or software provided over the internet by a third party. They offer high scalability and flexibility but require careful consideration of security, cost, and latency.
Category | Requirement | Priority |
---|---|---|
Performance | Response time for cloud-based applications must not exceed 2 seconds under normal load conditions. | Mandatory |
Data retrieval for queries must complete within 3 seconds for 95% of cases. | Mandatory | |
Batch processes must complete within the defined business SLA (e.g., overnight for financial reports). | Mandatory | |
Cloud storage latency must not exceed 20ms for critical file operations. | Desirable | |
Cloud-hosted services must support simultaneous execution of 100,000 transactions per second at peak load. | Optional | |
Scalability | Cloud infrastructure must auto-scale resources based on demand spikes. | Mandatory |
Horizontal scaling must support adding 10 additional servers within 5 minutes. | Desirable | |
API gateways must handle a 500% increase in request volume during peak periods. | Desirable | |
Application tiers must scale independently to optimise cost and performance. | Desirable | |
Disaster recovery systems must scale to replicate the entire workload in under 10 minutes. | Mandatory | |
Security | Cloud data must be encrypted in transit (e.g., TLS 1.3) and at rest (e.g., AES-256). | Mandatory |
Identity federation must integrate with enterprise SSO providers (e.g., Okta, Azure AD). | Desirable | |
The system must comply with regional data privacy laws (e.g., GDPR, CCPA). | Mandatory | |
Cloud services must provide multi-factor authentication (MFA) for all administrative accounts. | Mandatory | |
Intrusion detection and prevention systems (IDPS) must monitor all inbound and outbound traffic. | Desirable | |
Availability | Cloud infrastructure must meet an uptime SLA of 99.99%. | Mandatory |
System failover between primary and secondary regions must complete within 30 seconds. | Mandatory | |
Scheduled maintenance downtime must not exceed 4 hours per year. | Desirable | |
Cloud providers must guarantee 24/7 support for critical issues. | Desirable | |
Redundant network paths must ensure uninterrupted connectivity. | Mandatory | |
Monitoring | Cloud services must provide real-time performance monitoring dashboards. | Mandatory |
Monitoring systems must trigger alerts for resource utilisation exceeding 80%. | Mandatory | |
Historical logs must be retained for a minimum of 2 years for auditing purposes. | Desirable | |
Resource usage reports must be exportable in formats like CSV or JSON. | Desirable | |
Monitoring tools must integrate seamlessly with on-premise systems (if applicable). | Optional | |
Auditability | Audit logs must record all administrative activities, including access changes and configuration updates. | Mandatory |
Logs must be immutable and tamper-proof for compliance purposes. | Mandatory | |
User access and activity logs must be exportable for third-party analysis. | Desirable | |
Retention policies for audit logs must comply with industry regulations (e.g., HIPAA). | Mandatory | |
Log analytics must include trend analysis to identify unusual patterns. | Optional | |
Maintainability | Cloud systems must support zero-downtime patching. | Mandatory |
Vendor documentation must cover all APIs, SDKs, and integration points. | Mandatory | |
Cloud services must provide a sandbox environment for testing and development. | Desirable | |
Updates to cloud-hosted applications must propagate within 30 minutes of deployment. | Desirable | |
Maintenance schedules must align with agreed-upon change management policies. | Optional | |
Usability | Cloud management interfaces must provide detailed, real-time resource utilisation metrics. | Desirable |
Administrative dashboards must include intuitive workflows for non-technical users. | Optional | |
User interfaces must be mobile-responsive to allow access from any device. | Desirable | |
Role-based access configuration must be customisable via the UI. | Mandatory | |
Onboarding tutorials must be provided for new administrators. | Optional | |
Portability | Applications must be deployable on multiple cloud providers to avoid vendor lock-in. | Mandatory |
Cloud resources must support export to on-premise systems or alternative providers. | Desirable | |
Containerisation must be used to ensure consistency across deployments. | Mandatory | |
Virtual machines must support snapshots for migration purposes. | Desirable | |
Deployment templates must support multi-cloud configurations (e.g., AWS and Azure). | Desirable |
SaaS (Software as a Service)
SaaS involves accessing software applications hosted by a third-party provider over the internet. SaaS platforms handle most of the IT infrastructure and application management.
Category | Requirement | Priority |
---|---|---|
Performance | SaaS applications must provide response times of under 2 seconds for 95% of all user interactions. | Mandatory |
The system must support up to 10,000 concurrent users without degrading performance. | Mandatory | |
Page load time for critical workflows must not exceed 3 seconds. | Desirable | |
Background processing (e.g., email notifications) must complete within 5 minutes of trigger. | Desirable | |
SaaS platform must scale to meet demand spikes, ensuring no downtime or performance degradation. | Mandatory | |
Scalability | The system must support scaling up by 500% during peak periods without manual intervention. | Mandatory |
The platform must allow customers to dynamically add or remove users based on subscription. | Desirable | |
SaaS should allow the addition of new modules or features with minimal impact on existing users. | Desirable | |
Automatic scaling should be available to handle up to 100,000 requests per minute. | Desirable | |
The system must be able to scale independently based on customer-specific configurations. | Mandatory | |
Security | SaaS platform must encrypt all sensitive data in transit and at rest using industry-standard protocols. | Mandatory |
The system must support multi-factor authentication (MFA) for all users accessing administrative functions. | Mandatory | |
User roles and permissions must be configurable and granular to restrict access. | Mandatory | |
Regular security patches and updates must be applied to the platform. | Desirable | |
SaaS platform must comply with GDPR, CCPA, and other relevant data privacy laws. | Mandatory | |
Availability | SaaS applications must provide at least 99.9% uptime as per SLA agreements. | Mandatory |
Cloud infrastructure should automatically failover to a backup region within 5 minutes. | Mandatory | |
Maintenance windows must be scheduled during off-peak hours and cannot exceed 4 hours per month. | Desirable | |
SaaS provider must guarantee 24/7 support with critical issue resolution within 1 hour. | Desirable | |
The system must offer geographically redundant data centres to ensure regional availability. | Mandatory | |
Monitoring | The SaaS provider must include built-in monitoring tools to track user activity and system health. | Mandatory |
Detailed logging of user activity must be available for compliance and troubleshooting. | Mandatory | |
Monitoring must include resource utilisation (e.g., CPU, memory, bandwidth) and trigger alerts at 80% usage. | Desirable | |
Alerts and notifications must be sent via email or SMS for any service disruption. | Desirable | |
The platform must provide detailed reports on system performance and user activity. | Optional | |
Auditability | Audit logs must be maintained for a minimum of 12 months, with export capabilities. | Mandatory |
All administrative actions, including changes to user roles and permissions, must be logged. | Mandatory | |
SaaS platform must support integration with third-party SIEM tools for enhanced auditability. | Desirable | |
Audit logs must be immutable and stored securely, preventing tampering. | Mandatory | |
System must allow the export of audit logs to a central location for compliance purposes. | Desirable | |
Maintainability | The platform must support automated updates with no downtime. | Mandatory |
The SaaS provider must offer dedicated support channels for troubleshooting issues. | Mandatory | |
Documentation must be provided for troubleshooting and resolving common issues. | Desirable | |
API endpoints must be versioned and backward compatible to avoid breaking existing integrations. | Desirable | |
SaaS platform should provide tools for easy integration with existing business systems (e.g., CRM, ERP). | Mandatory | |
Usability | The user interface should be intuitive and designed for non-technical users. | Mandatory |
Help guides and tutorials must be easily accessible from within the platform. | Desirable | |
SaaS platform should include accessibility features for users with disabilities (e.g., screen readers). | Mandatory | |
User feedback mechanisms (e.g., surveys) must be incorporated for continuous improvement. | Desirable | |
SaaS should include mobile app support for access on the go. | Optional | |
Portability | The SaaS application must support data export in open formats (e.g., CSV, JSON) to facilitate migration. | Desirable |
APIs must be provided for accessing data in external systems. | Desirable | |
SaaS platform should offer the ability to migrate user data to another provider or on-premise solution. | Desirable | |
Data backups must be easily restorable to ensure business continuity. | Mandatory | |
Customisation settings (e.g., workflows) must be portable across different user accounts or organisations. | Desirable |
On-Premise
On-premise solutions are hosted on the organisation’s own infrastructure, offering greater control over data and security but requiring more management and resources.
Category | Requirement | Priority |
---|---|---|
Performance | On-premise systems must support real-time processing for at least 10,000 transactions per minute. | Mandatory |
Response times for critical functions must not exceed 3 seconds during peak usage. | Mandatory | |
System must support batch processing jobs (e.g., report generation) to complete within 4 hours. | Desirable | |
On-premise servers must provide at least 10Gbps bandwidth for inter-server communication. | Desirable | |
Performance degradation should not exceed 10% during system upgrades. | Optional | |
Scalability | The system must support the addition of 25% more servers in under 48 hours to handle increased demand. | Desirable |
On-premise software must scale to accommodate up to 50,000 concurrent users without performance degradation. | Mandatory | |
The platform must support vertical scaling (e.g., upgrading server resources) without major downtime. | Mandatory | |
Backup systems should scale automatically to handle increased data volumes during backups. | Desirable | |
Disaster recovery must include the ability to restore operations within 30 minutes in case of hardware failure. | Desirable | |
Security | All sensitive data must be encrypted using AES-256 encryption at rest and TLS for data in transit. | Mandatory |
On-premise systems must implement strict access controls using RBAC. | Mandatory | |
Endpoint protection software must be used on all devices accessing the system to prevent malware. | Desirable | |
The system must include intrusion detection/prevention systems (IDPS) to monitor for malicious activities. | Desirable | |
User authentication must support multi-factor authentication (MFA) for administrative roles. | Mandatory | |
Availability | On-premise infrastructure must achieve 99.9% uptime for critical systems. | Mandatory |
Backup power systems (e.g., UPS, generators) must be available to support at least 8 hours of operation. | Desirable | |
System must include failover mechanisms to ensure high availability of critical services. | Mandatory | |
Scheduled maintenance must be performed during non-peak hours to minimise business impact. | Desirable | |
Off-site disaster recovery systems must ensure data recovery within 12 hours. | Desirable | |
Monitoring | Real-time monitoring of server health (e.g., CPU, memory, disk) must be in place for proactive issue detection. | Mandatory |
Monitoring systems must be integrated with alerting mechanisms (e.g., email, SMS) for high-priority issues. | Desirable | |
Detailed resource utilisation metrics (e.g., CPU, disk usage) should be accessible to administrators. | Desirable | |
System logs must be stored securely and be accessible for auditing purposes. | Mandatory | |
Monitoring tools must provide comprehensive dashboards to track the health and performance of infrastructure. | Optional | |
Auditability | On-premise systems must provide audit logs for all critical administrative actions (e.g., data access). | Mandatory |
Logs should be stored for at least 12 months for compliance and audit purposes. | Mandatory | |
Logs must be immutable and encrypted to prevent tampering or deletion. | Desirable | |
Audit trails must be integrated with SIEM tools to detect and report suspicious activity. | Desirable | |
The system must provide detailed reports of user activity and configuration changes. | Desirable | |
Maintainability | The system must support automated patch management with zero downtime for critical patches. | Mandatory |
All hardware components must be replaceable or upgradeable with minimal system downtime. | Desirable | |
Vendor documentation must include troubleshooting procedures for common system issues. | Desirable | |
The system should provide diagnostics tools for troubleshooting issues with hardware or software. | Desirable | |
Maintenance schedules must align with the organisation’s change management policies. | Optional | |
Usability | The system’s user interface must be intuitive and provide training for non-technical users. | Mandatory |
Customisation options (e.g., workflows, views) should be available for different user roles. | Desirable | |
Administrative interfaces should provide real-time performance and resource metrics. | Desirable | |
Onboarding and training resources must be available for new users and administrators. | Desirable | |
The system should support easy integration with existing business tools (e.g., CRM, ERP). | Desirable | |
Portability | The system must support data migration to alternative platforms if necessary (e.g., from on-premise to cloud). | Desirable |
Data export features should support standard formats (e.g., CSV, XML, JSON) to facilitate portability. | Mandatory | |
Applications must be containerised to enable easy deployment and migration. | Desirable | |
Integration with external applications via APIs must be supported. | Mandatory | |
Customisation settings must be portable across different environments (e.g., between dev, test, and prod). | Desirable |
Hybrid
Hybrid systems combine on-premise infrastructure with cloud or SaaS components, allowing organisations to leverage the benefits of both deployment types.
Category | Requirement | Priority |
---|---|---|
Performance | Network latency between on-premise and cloud components must not exceed 100ms. | Mandatory |
Data synchronisation between on-premise and cloud systems must occur within 5 seconds for critical data. | Mandatory | |
Hybrid architecture must sustain 10,000 concurrent users across on-premise and cloud resources. | Mandatory | |
File uploads exceeding 500MB must not exceed 2 minutes for transfer between environments. | Desirable | |
Real-time analytics dashboards must process data from both environments within 1 second. | Optional | |
Scalability | Hybrid systems must support dynamic resource allocation between on-premise and cloud environments. | Mandatory |
Workloads must rebalance automatically between environments during resource contention. | Mandatory | |
The hybrid system must accommodate a 200% increase in cloud traffic during peak periods. | Desirable | |
User management must support global accounts spanning both environments. | Mandatory | |
Application deployment pipelines must support hybrid integration testing environments. | Desirable | |
Security | Data encryption keys must synchronise securely between on-premise and cloud systems. | Mandatory |
Hybrid systems must enforce identity management policies across both environments. | Mandatory | |
Intrusion detection systems (IDS) must monitor traffic between on-premise and cloud systems. | Desirable | |
Hybrid systems must provide security audit logs for all cross-environment activity. | Desirable | |
Data in transit between environments must use end-to-end encryption protocols (e.g., TLS 1.3). | Mandatory | |
Availability | Hybrid systems must switch to failover nodes within 60 seconds of detecting downtime. | Mandatory |
Data replication must ensure no more than 5 minutes of data loss in case of a failure. | Mandatory | |
Cloud-dependent processes must continue functioning offline for up to 2 hours. | Optional | |
Redundancy must be implemented for both on-premise and cloud systems to avoid single points of failure. | Mandatory | |
Hybrid system components must meet a combined uptime SLA of 99.95%. | Mandatory | |
Monitoring | Hybrid systems must provide unified dashboards for monitoring cloud and on-premise components. | Mandatory |
Alerts must trigger for discrepancies in synchronisation between environments. | Mandatory | |
Anomalous activity between systems must generate alerts within 1 minute. | Desirable | |
Historical performance data for both environments must be stored for 12 months. | Desirable | |
Monitoring solutions must integrate with both on-premise tools and cloud APIs. | Mandatory | |
Auditability | Audit logs must track all cross-environment data transfers. | Mandatory |
Access to audit logs must require multi-factor authentication. | Desirable | |
Changes to hybrid configurations must include timestamps and approval details. | Desirable | |
Hybrid system audit trails must meet compliance standards (e.g., GDPR, HIPAA). | Mandatory | |
Logs for failed synchronisation attempts must include root cause analysis. | Desirable | |
Maintainability | System updates must propagate across both environments within 1 hour. | Desirable |
On-premise and cloud documentation must include hybrid configuration best practices. | Optional | |
Hybrid systems must include automated rollback mechanisms for failed deployments. | Mandatory | |
Both environments must undergo coordinated maintenance windows quarterly. | Desirable | |
Testing frameworks must support hybrid integration test cases. | Optional | |
Usability | Hybrid interfaces must clearly distinguish between on-premise and cloud data sources. | Mandatory |
Dashboards must display real-time synchronisation status. | Desirable | |
User interfaces must allow seamless switching between environments. | Desirable | |
Configuration wizards must support hybrid setup for non-technical administrators. | Optional | |
Error messages must identify whether the issue originates from the on-premise or cloud environment. | Mandatory | |
Portability | Hybrid systems must allow the migration of workloads fully to on-premise or cloud if required. | Mandatory |
Data exports must support hybrid-specific metadata tagging. | Desirable | |
Hybrid systems must provide APIs for moving configurations between environments. | Mandatory | |
Applications must function independently of hybrid architecture during migrations. | Desirable | |
Backup and recovery solutions must support hybrid scenarios. | Mandatory |
Non-Functional Requirements Template
Having a non-functional requirements (NFR) template is crucial for consistency and clarity in project documentation. It helps ensure that all key performance, security, and usability factors are considered, avoiding missed requirements that could impact the system’s functionality. A template streamlines the process of gathering, defining, and tracking NFRs, providing a standardised approach that simplifies communication among stakeholders and ensures nothing is overlooked. It’s an invaluable tool for business analysts, offering a solid foundation for creating comprehensive, tailored NFRs for each project.