Non Functional Requirements (NFR) Example Sets

Introduction
Requirements for ICT systems are often divided into two broad categories: Functional R
Functional Requirements are usually focussed on describing the ICT functionality most
Non‑functional requirements are equally important but often less visible to users, they
This document contains extracts from 6 tender documents which were devised for the
The extracts are all Non Functional Requirements and provide a valuable
source for authors of tender documents to be able to use them as they think
fit
Note; - some of the standards or technical products named will be outdated.
That should not prevent authors using the NFR details as a base from which

This sheet provides a listing of the various characteristics or categories into which NFRs can be g
Characteristics
Security
Authentication/Trust
Authorization (Roles & Permissions)
Vunerability/Threat Protection
Confidentiality/Integrity
Security Policy & Manageability:
Scalability
Volume Scalibility
Location Scalability
System Resiliency
Availability
Reliability
Performance and Capacity
Supported transactions
Availability of data
Performance of Transactions
Maintainability and Supportability
Support
Usability
Help
Training
Disaster Recovery
Recovery
Backup
Monitoring
Archive/Purge
Legal, Audit & Regulatory
Testability
Licensing
Software Components
System Development Lifecycle Approach
Release Methodology
Reporting
Regulatory controls / Standards / policies /
Characteristic Description
Service Criticality
Service criticality is a measure of the business
importance of the service. Failure of a service may
cause serious widespread and lasting impact to
business operations, or such failures may be tolerated
for reasonably long periods. The criticality of a business
service is a key consideration in determining the
required resilience to failure of the information systems
Service Availability
Service availability is a measure of the time during which
the service is normally provided. Availability may range
from normal working hours through to contantly
available. Where a service is automated through the use
of information systems, availability of these systems
must match or better the service availability required.
Service Reliability
Service reliabilty is a measure of the number of service
outages that are acceptable to users of the service.
Outages may arise through some failure or other, or may
be planned to allow maintenance activities to occur. The
reliability of a business service is a key consideration in
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/non-functional-requirements-nfr-example-sets-3657

Service Reporting
Business services which produce reports will do so on a
particular basis. Some services will produce mandatory
reports essential to the business operation. Others will
produce reports on an ad-hoc basis which have no
material influence on the business operation. Reporting
Regulatory Controls
Some business services may be subject to external
regulatory controls, which will impose a number of
requirements upon the service such as extended data
Existing Automated Systems Support
Business services may be supported by one or more
automated systems. Understanding the extent to which
automated systems are used to support the provision of
a service will assist in identifying opportunities for
improvement in service provision.
Service Responsiveness
Service responsiveness is a measure of the time taken
for a service to deliver results to service users. The
responsiveness of a service will determine the required
performance characteristics of any information systems
and underlying technology used in providing the service.
Service Demand Profile
Demand for a service generally has a particular profile.
In some case it maybe predictable and stable, but in
others it may be unpredictable and erratic. The profile of
demand is a key consideration in determining the
required performance characteristics of the information
Service Demand Frequency
Demand for a service generally has a particular
frequency. Some services may be used very frequently
whereas others may be used much less comparatively.
The frequency of demand is a key consideration in
determining the required performance characteristics of
the information systems and underlying technology used

1 Security
1.1 Authentication/Trust
1.1.1
System will have the ability to support single sign/authentication on for internal users. Once a user has
authenticated, the user should be able to interact with other systems available without requiring authentication. x
1.1.2
System will have the ability to support single sign/authentication on for external users. Once a user has
authenticated, the user should be able to interact with other systems available without requiring authentication. x
1.1.3
The authentication mechanism shall conform to Client IT Security Standards, and be centralized for both internal,
as well as external, users. There shall be no application level authentication provided within the system. x
1.1.4
All applications using ULS for authentication will need to migrate to the new authentication model
(TAM/Webseal). All 'back-door' authentication holes (ie, allowing to authenticate by bypassing TAM/WebSeal) to
these apps must be eliminated.
1.1.5
External users AMSI (XML and Screen Scrape Navigation) Transactions must also authenticate and conform to
Client IT Security Standards, for external users.
1.1.6
External users AMSI Transaction Business processes shall also provide for single sign on/authentication for
external users.
1.1.7
Internal users of AMSI XML initiated transactions (for production support activities) must also provide for
authentication and SSO.
Ability for system to support trust-associations between system level components (between apps, for integration
purposes (web-services, et al)).
This supports the idea that the machine-to-machine communication within the network is secure and that
appropriate based on assessed risk to that machine-to-machine level interaction to provide trust (authentication),
identity propogation where necessary (authorizsation) as well as maintaining confidentiality and integrity. The data
transmissions to/from the applications must be secured and meet CobIT data transmission requirements.
1.2 Authorization (Roles & Permissions)
1.2.1 System will limit access to reports produced by Ops Reporting to a specific list of internal users
1.2.2 System will limit access to Reporting Functionality to a specific list of internal users.
1.2.3
System will limit user's access to individual tables for read, for delete and for update to a specific list of actors
with ad hoc ability.
1.2.4 There will be a single Security Zone for Policy Center.
1.2.5
The system will support role based authorization. A given section/function of the application can be restricted
based on role.
1.2.6 The system will support the ability to support multiple authority levels per roles.
1.2.7
Transactions/Capabilities both seen and performed by internal & external users for the agencies will be controlled
by their role(s).
1.3 Vunerability/Threat Protection
1.3.1
The solution must execute an IT Security Certification and Vunerability assessment process, and be approved by
IT Security and Audit
1.3.2
Standard IT Security application/system vunerability and threat analysis shall be performed, including Application
Scan tooling analysis
1.3.3
Standard IT Security application/system vunerability and threat detection capabilities shall be used in the solution
(Firewalls, HTML and XML Scans, etc.). These must be executed as an ongoing activity throughout the program.
Ability for system to provide for the protecting and addressing of particular security vulnerabilities, for vendor
software as well as appropriate fire-wall protection
This includes ensuring the vendor software does not expose any potential security vulnerabilities, as well as
enabling appropriate fire-wall protection to protect against common security attacks, for instance, cross-site-
scripting and xml-injection attacks.
1.4 Confidentiality/Integrity
REQUIREMENT
1.1.8
1.3.4

1.4.1 Ability of system to encrypt messages and communication at critical high-risk security points for confidentiality
1.4.2 System protects the fact that not only the information is correct, but also that it can be trusted and relies upon.
1.5 Security Policy & Manageability:
1.5.1
Initial Data Classification for sensitivity of sensitivity is classified as GOLD level. Highly sensative data
(account/customer, user, password, policy) shall conform to appropriate standards of protection and standards
within Client.
1.5.2
For internal users: The system shall comply with current Client security protocols for userid and
password/management/expiration policies.
1.5.3
For external users: The system shall conform to the existing Client Central user ids and password policies as
currently defined by ULS.
For external users, require a separate policy for the creation of ids, password management/expiration, and other
user functions than for internal users. These policies must become part of the overall corporate enterprise policy.
(Ability to manage multiple policies based on user types: internal, external, etc.). The following are the policies:
=Password must be 6-13 characters in length. Password must be at least 6 characters long.
=New password must not be the same as current password or any of the previous 7 passwords. Enforced by
LDAP.
=Passwords expire after 90 days. Enforced by LDAP.
=After 5 incorrect password attempts, the account is locked out for 30 minutes. Enforced by LDAP.
The following capabilities may require adherance to corporate standards based on technology limitations
=When Client users log in within 2 days of their password expiration date, they receive a notification that they
should change their password. (and re-addressed in NFR 1.5.21)
=Client users can log in 5 times after their password expiration date, receiving a notice each time of how many
grace logins they have remaining. (and re-addressed in NFR 1.5.22)
1.5.5
Ability to manage user id and password management/expiration polcies in a central place for the enterprise. The
rules for the user id and password management polciies must also exist in a central place, and be accessible at
runtime from that source system.
1.5.6 Must adhere to Client Security Standards for single point of account provisioning and workflow.
1.5.7 Provide delegated administration capabilities for internal and external users.
1.5.8
All User Application IDs need to be unique. System Application IDs (i.e., BCF access to shared services) do not
need to be unique (service accounts where appropriate).
1.5.9
A user to the system must have a single user id (identity) in the corporate LDAP solution, where LDAP is being
applied in the solution. Mapping of ids/users within LDAP will be prohibited, and limited capabilities userid-
mapping between custom application repositories should be limited.
1.5.10
The system will adhere to Client corporate policies where possible for session timeouts. Current policy is 60
minute inactive timeout and 8 hour live timeout
1.5.10 For Account Maintainance purposes priviliged activities in the application must be logged.
1.5.11
Security functions for external access shall have a common look and feel with existing ClientCentral/ULS. EDA
should look like ClientC security screens
1.5.12
All the User ID & Password functions should be redirected to helpdesk (e.g. Change Password, Forgot ID, Forgot
Password) – This will not use the current password policy but it will be redefined by helpdesk in conjunction with
IT Security. Also for these functions the UI will not reside in ULS but will need to have the Client look and feel.
1.5.13 Add Expired Password to the User Self Admin list
1.5.14 Provide delegated administration capabilities for internal and external users.
1.5.15
Once the user changes the password after receiving the password expiring notification, the user is required to
login again
1.5.16 Ability to support IT help desk password changes or resets for Client users and Affiliate users.
1.5.17 Database access and the production environments must meet the COBIT access requirements.
1.5.18 Ability to support non-repudiation, especially for critical business transactions.
IT Developer access to the production environment must meet the CobIT access requirements.
Note: The CobiTs used for SOX focused on Developer ability to update financial data. CobiT controls are broader than this
and Integrity for Road map should include a broader range of restrictions (e.g. need to know, confidentiality).
1.5.4
1.5.19

1.5.20 Ability for the application log files to be secured and tamper evident
1.5.21
System must provide multiple delivery-channel alternatives to notify users that passwords will be expiring (see 1.5.4 - Client
puts notice today on web-site, today LDAP done via email for internal). Require the ability to 'query' EDA/TIM system of
password expirations about to happen to similuate this capability, as well as possibilities for multiple channel delivery.
1.5.22
System will not provide grace-logon attempts. Expirated passwords must prevent logon. This complies with corporate
security policie (see 1.5.4-current capabilities)
2 Scalability
2.1 Volume Scalibility
Ability to support 444 new account setup
This metric is considered per hour during peak time.
Ability to exercise 250-2006, 500 -2007 quick quote peak hour transactions
*This number was derived from the current Client baselines by LOB for QQ and FQ, as well as growth projections
for 2006/2007. It includes xxx
220 peak hour QQ transactions via Client , 250 FQ transactions for growth projections into 2006. *Will include
that ‘some’ of the FQ (150) should be counted in QQ bucked as well, plus a factor for QQ ‘ease-of-doing business’
(100) for a total of 500 per hour for 1006. Growth projections 2007: 700.
2006 WC: QQ-100, FQ-60
2006 CA: QQ-7, FQ-14
2006 NPO: QQ-20, FQ-170
2006: UMBR: QQ-72, FQ-3
*500 total for Client, use 50% going through AMSI 2006 - 250, 80% 2007 – 500 includes ‘growth projections for
2007.
Ability to exercise 1650 – 2006, 3200-2007 quick quote transactions normal business hours (8 hour day)
Based on 2006 growth projections of bookable business (QQ-1576, FQ-1981), including some full quotes that
started out as quick-quotes (1200), and factor in ease-of-doing-business to drive more quotes (500). Total 3300
per day QQ 2006, 5000 2007 for TOTAL Client volume.
Business Growth Projections Total Quotes:
2006 WC: 783, FQ-480
2006 CA: 46, FQ-109
2006 NPO: 159, FQ-1359
2006 UMBR: 588, FQ-33
*Also applied factor of 50% through AMSI 2006, 80% through AMSI 2007
Ability to support 40-2006, 60-2007 concurrent quick-quote requests against ClientCentral (NPO and or AMSI)
400 per hour divided by 10 minutes average (40 + adjust for overlap = 60).
2.1.5 Based on the transaction usage in Client Central to support the login-logout sequence within the AMSI solution.
2.1.6 Ability to encrypt username and password information
2.2 Location Scalability
Ability to access the system from all corporate locations.
The ability to exercise a business activity at an Agent's Office.
The ability to exercise a business activity at the Data Center for Support and Administration
3 System Resiliency
3.1 Availability
2.1.1
2.1.2
2.1.3
2.1.4
2.2.1

System will be available for user interaction between the hours of 6:00 am and 8:00pm EST (Monday through
Saturday) with core business hours from 8:00am to 3:00 pm.
Peak hours are expected between 10:00am and 2:00 pm EST (Monday through Friday)
Peak days expected are Monday, Tuesday and Friday
Peak Months are December through July
Note: During other hours (8:00PM - 6:00AM) system will still be availabe but the level of avaibility might vary due
to scheduled maintainance (get the specifics though during ASE)
Messaging engine should be available to handle transactions 95% - 97% of the time between the hours of 7am
and 9pm Central time. Total system availability to be slightly less based on availability of message (engine/bcf +
Client)/2.
3.1.2
System and related integration components will be available for automated processing between the hours of
1:00am and 6:00 am EST (Monday through Friday)
3.1.3 Notice of maintenance must be distributed 48 hours prior to actual action
The BCF solution availability shall duplicate current ClientC availability. In instances where Client Central splash
page is displayed (such that Client is down for scheduled maintenance), the system shall notify the user to retry
their submission during Client business hours. The BCF Solution itself, barring any ClientCentral availability,
should be available 99.0% of the time.
See BR31754 (Error message J)
3.1.5 Ability to allow transactions from IVANs transformation station 96.5% 24/7, when within Client’s availability window
3.1.6 Ability to allow transactions from TransactNow for 99.5%, 24/7, when within Client’s availability window
3.1.7
For the Expected Service scope of this project, Agency Portal only includes pages managed with the VCM / VAP
environment
3.1.8
Core Hours: 5 AM – 11 PM (Mon – Sat) – Site is expected to be available 97% during these hours on yearly basis
taking into account the listed hours of operation. The range is larger than normal working time to accommodate
for the 4 time zones in the country.
3.1.9
Maintenance Window: 11 PM - 4 AM (Mon - Sun) – Note that Infrastructure will make every effort to keep the site
available during maintenance by keeping one of the load-balanced serv-ers available while maintenance is
performed on the other ma-chine.
3.1.10
Maintenance Escalation: Use the Service Assurance Manage-ment (SAM) for Standard Lines via email or phone
to get ap-proval for any scheduled maintenance work or planned outages
3.1.11
Support: Any technical problems identified by Client employees will be reported to the Client IT Service Desk
during core busi-ness hours for this department, which already is set in place to work with SAM if needed.
3.1.12 Site Outages – If site is unavailable, redirect to a splash page
3.1.13 IT Service Desk is available 24/7
3.1.14. Content Management Console (VCM) Availability
3.1.14.1
For the Expected Service scope of this project, VCM Manage-ment Console refers to the site used to update,
review, and publish content that will be used by Small Business Leadership Authors
3.1.14.2
Core Hours: 5 AM – 11 PM (Mon – Sat) – Site is expected to be available 97% during these hours on yearly basis
taking into account the listed hours of operation. The range is larger than normal working time to accommodate
for the 4 time zones in the country.
3.1.14.3 Maintenance Window: 11 PM - 4 AM (Mon – Sun)
3.1.14.4
Maintenance Escalation: Use the Service Assurance Manage-ment (SAM) for Standard Lines via email or phone
to get ap-proval for any scheduled maintenance work or planned outages
3.1.14.5
Support – Any technical problems identified by Client employees will be reported to the Client IT Service Desk
during core busi-ness hours for this department, which already is set in place to work with SAM if needed.
3.1.14.6 Site Outages – If site is unavailable, display error page indicat-ing that site is not available
3.1.14.7 IT Service Desk is available 24/7
3.1.15 Portal Ad-ministration Console (VAP)
3.1.15.1
The applications necessary to administer portal functionality must be available at all times, except for scheduled
maintenance
3.2 Reliability
3.1.4
3.1.1

3.2.1
The critical business functions that support processing of policies should be available 99% during core business
hours. These functions are defined as New Business Submissions, Endorsements, Cancellations,
Reinstatements, Agent Portal. This will be measured over the course of month.
3.2.2
Other critical business functions that support the underwriting of policies and the information supporting the needs
of underwriting should be available 96% during core business hours. These functions are defined as (list use
cases - get help, PST, underwriting file documentation, quote letter, missing information process, misc form
letters). This will be measured over the course of a month.
3.2.3
Overall there will be no more than 3 hours of down time in a given month and no more than 1 hours in a given day
during available business hours.
3.2.4
When the policy system of record is down (TAP/WC Pledge), the system will have the availibility to spool critical
activities (Rate, Quote, Issue) for subsequent processing. This is true for all job types -New Business, Cancel,
Reinstate, Endorse.
3.2.5
If the policy system of record does not respond within 90 seconds for the transactions of Rate, Quote, Issue, the
system will have the ability to spool the request for subsequent processing and will notify via an activity the user
once processing is complete.
3.2.6
System should have the ability to protect a user from a single hardware failure (fail over and redundancy).
Redundancy should be built into the environment to protect the user from system failures.
3.2.7
Solution should be able to handle transactions outside of normal Client Central availability window, except for
when system is down for scheduled maintenance.
Ability to display appropriate error pages to users when dependent Client Central systems are unavailable.
Allow for the handling of Client Central unavailable, Client Central splash-page, and Client System partial system
functionality involving the use of appropriate error or information pages.
Additionally, the AMSI solution should provide the ability to manage scheduled maintenance as well, and provide
a similar feature as the ClientCentral splash page that indicates to the users or systems (IVANs, TransactNow),
that the AMSI solution is down for scheduled maintance.
Recover from a system outage:
Critical / Fatal – Primary Key Business Process - Processing: 0 – 15 mins. outage
High - Business Support Process - Inquiry: 16 – 59 mins. outage
Medium - Management Process: 1 – 3.99 hrs. outage
Low - Training, Innovation, Development and Knowledge Transfer Processes: 4 – 24 hrs. outage
Informational - None: 24+ hrs. outage
Primary Key Business Processes encompass: Login, Apply On-Line and Quick Quote.
3.2.10
Ability of system to ‘cache’ transactions in-progress within the BCF application when system parts of the system
are unavailable allowing for the ability to resume later on.
4 Performance and Capacity
4.1 Supported transactions
4.1.1
System should support the anticipated peak volume of users in Policy Center according to the schedule depicted
in the Policy Center Detail Volumemetrics worksheet.
4.1.2
System should support the transaction volume of small business and anticipated growth of that business over the
next 3 years. Refer to the Policy Center Detail Volumemetrics and Deployment Model anticipated transaction
volume, peak transactions and anticipated growth.
System should support 4,000 agents countrywide.
Agents are classified in the following manner:
1. Agents that have a Transact Now agency management system solution.
2. Agents that have an IVANS Transformation Station agency management system solution.
3. Agents with an Interface Solution (e.g., aggregators)
3.2.8
3.2.9
4.1.3

4.2 Availability of data
4.2.1
Report against data as of the implementation of Policy Center – operational data will not report on data prior to
the Policy Center implementation
4.2.2 Report on data as of yesterday’s batch run except for Loss Information (weekly)
4.3 Performance of Transactions
4.3.1 Policies scheduled for xxxxx must complete the xxxxx transaction over night the day they were scheduled.
4.3.2
The system should support during peak hours a median screen response times of 3 - 5 seconds for simple
search operations. Searches where the user provides a unique key to data and return results are less than 50
rows
4.3.3
The system should support during peak hours a median screen response times of 10 - 20 seconds for complex
search operations. Contains, Begins With, high volume return
4.3.4
The system should support during peak hours a median screen response times of 3 - 5 seconds for simple fetch
operations. Provide a unique key to fetch small amount of data < 100k
4.3.5
fetch operations. Provide a unique key to fetch large amount of data > 100k
4.3.6
The system should support during peak hours a median screen response times of 3 - 8 seconds for simple online
reports. Standard queries on simple data structures
4.3.7
online reports. Complex queries on complex data structures
4.3.8
The system should support during peak hours a median screen response times of 3 - 5 seconds for simple policy
update transactions
4.3.9
The system should support during peak hours a median response time of 20-25 seconds for the function of
quote/rate. This is defined as the point by which the user takes the action to quote a policy and the return of
control to the user on the next logical page.
4.3.10
The system should support during peak hours a median response time of 10-15 seconds for the creation of a
quote letter. After a user has selected all options for a quote letter, the creation of a quote letter is defined as the
user action to "create" the letter and the system returning control to the user presenting the quote letter for review.
4.3.11
The system should support during peak hours a median response time of 3-5 seconds for the creation of other
correspondence types.
4.3.12
The system should support during peak hours a median response time of 10-15 seconds for requesting issuance
of a policy from the host system. This is defined as a user selecting the issue now function and the system
returning control to the user acknowleding the completion of the transaction.
4.3.13
System should support the routing of activities and assignments to individuals during peak hours realizing a
median response time of 2-4 seconds.
4.3.14
The system should support during peak hours a median response time of 3-8 seconds for the attachment of a
document into the underwriting file.
4.3.15
Low Complexity reports, i.e. detail data or summary reports with limited columns, few filters, minimal date range
of 1-2 Months. Should process in 45 seconds or less
4.3.16
Medium Complexity reports, i.e. Reports containing summary data with many filters, large volume of data and
many columns, a medium date range of 2-6 Months. Should process in 45 seconds to 5 Minutes.
4.3.17
High Complexity reports, i.e. Transaction Snapshot reports with large number of data elements, summary and
detail data, advanced filtering capability, large volume of data or wide date ranges of 6+ months. Should process
in 5 minutes to 1 hour
Agent will receive billing inquiry, claim inquiry and policy inquiry reponse within 30 sec
Mimic ClientC requirements + AMSI overhead
From submission within AMS to inquiry results
Agent will receive account search results within 15 seconds
From submission of Quick Quote transaction to display of search results (Account to be created or Exact Match)
This applies during average load parameters.
Agent will receive gap page within 2 seconds
4.3.18
4.3.19

From acceptance of account results/account creation to gap page presentation (assuming no producer code
selection).
This is on top Client Central processing time.
BCF Screen response time shall be not exceed 2 seconds
Screen generated by BCF shall be displayed to the user within 2 seconds. This is above Client Central response
times for transactions.
Agent will receive quote result 3 seconds above Client Central time
From submission of Quick Quote transaction from gap page (assuming all necessary data entered) to display of
Quick Quote results (Declination,Error, or Premium Indication)
Due to the variability of information entered by the user for quotes by line of business, the expected response time
will also vary. Below is a set of current quote expectations:
All response times are considered under average load parameters
4.3.23
Page response time should be less than 8 seconds for Agency Portal site. Response time less than 12 seconds in
VAP & VCM admin consoles.
4.3.24
Content published by VCM should appear on the site within 1 to 20 minutes of when the content was published
depending on the cache refresh time interval set (assuming the worst case scenario for 20 minute cache refresh
interval)
4.3.25
Vignette Professional Services (VPS) recommends using DPM caching because DPM templates will display the
content from the Content database. When the updated content appears on the page depends on when the cache
is set to expire using a Time To Live (TTL) value. This TTL value is configurable. To accomplish the most efficient
display of published content, VPS recommends using a custom extension that could clear the cache for a content
item across all pages and relationships when the updated content is published
4.3.26
Wireless Connectivity varies in the different areas of the country – no special requirements are to be captured at
that point relying on the fact that regular broadband connection will be available in the offices that are visited or
from their homes when bigger throughput is required, like downloading a big financial report.
5 Maintainability and Supportability
5.1 Support
5.1.1 A standardized process for implementing business rules will be followed
5.1.2
Third party information should be kept current. A process of update should exist such that in a regular monthly
release the update of third party information can be brought into the solution. This information icludes Dunn &
Bradstreet CIM and Financials; Marshall & Swift Boekh ITV, Specific Rate and Location data from ISO (SPI)
Saagent (geocode). There should be no more than a month lag between the receipt of updated information and
the implementation of this data into our systems.
5.1.3
Business Rules will be implemented within the established service level agreement based on rule type. Refer to
the following table for details on implementation service level agreements for types of rules. Refer to the Rule
Maintenance worksheet.
5.1.4 Need to incorporate policy center and AMSI into the defect management and incident reporting process at Client.
5.1.5
Need ability to display meaningful error messages to the user. Any error that id displayed to the user should be
displayed so that they can understand the cause and how to resolve it or get assistance. No system language
messages should be displayed to the end user. A map between TAP system generated messages and Policy
Center messages to the end user will be created.
5.1.6
Ability to incorporate enhancements into the Client enhancement process. Enhancements should follow the
service level agreements according to Client corporate process and standards.
5.1.7
Need the ability to view application logs in a central location. All logged data generated from components of the
system or components that the system depends upon should be easily accessible from a centralized location.
5.1.8
Need ability to alert support staff of critical application errors. When critical or fatal errors occur within the
application that prevent processing but do not impact the infrastructure or environment, production support should
be alerted automatically. Generally these would be code errors, that cause an inability to complete transactions.
the environment will appear to be functioning.
Need the ability to view contextual information about app errors. When an unexpected application error is
encountered, the context of the error should be known and easily accessed by the support staff.
4.3.20
4.3.21
4.3.22

Contextual information includes user session information from the session that encountered the error. information
about the application code that generated the error and any other pertinent environmental factors that may have
led to the cause of the error.
Ability to support several submission formats.
Accord format via TransactNow (ACORD 1.3.1) and IVANs Transformation Station (1.0) for transactions.
Additionally, for support of Aggregators, choice of one of current supported transaction formats will be used.
5.1.10 Messaging Engine must be able to adhere to changes in Client appetite
5.1.11 Changes to ACORD Forms, Product Appetite, Distribution rules, etc. should be done in staged environment
5.1.12 Needs to be a defined process for installation and maintenance of vendor software
5.1.13 Vendors require lead time prior to changes of inquiry functionality to reconfigure product.
5.1.14 Need to follow and adhere to same process for internally built applications
Ability to support automated definition and managed deployment of enterprise and application services within
‘services gateway’ tool.
*This need addresses specifically the requirement for the manageability and maintenance of enterprise
Bridje.Services with regard to service definition process within the tools (deployment toolkit)
Ability to manage/set application environment information by externalizing this from the application
*Supports the idea the the environment information will not be ‘hardcoded’ within the application such that this
may be changed without requiring a rebuild from the vendors.
Need ability to reset application passwords on a periodic basis programmatically
Supports the ability to reset application passwords without the need to ‘reinstall’ the application, a SOX production
runtime requirement.
5.1.18 Need ability to support code bases across multiple environments and channels
5.1.19
Content Changes - The system must be able to track information about content changes, including datetime,
user, and change. In addition, the sys-tem must be able to roll back to previous version of any content.
5.1.20
All published content via VCM is not considered business record since VCM is not a certified document record
repository. To satisfy legal and regulatory compliance, audit capabilities and version content will be provided.
6 Navigation
6.1 Navigation through the system should be intuitive
6.2 Buttons should have consistent names and consistant meanings across products and functions of Policy Center.
6.3 Placement of common fields should be consistant across products and screens.
6.4 Application should always provide navigation from a single user screen to a next logical place in the system.
6.5
User should always be able to get back into original context of Policy Center when system re-directs users to
other applications for individualized tasks.
6.6 Policy center should open a new browser window when linking a user to an external application.
6.7 Navigation to access Reports and generation of the reports should be consistent and intuitive
6.8 Navigation through the system should be consistant across products and functions.
6.9
Must support navigation to PAS from AMSI when further information is needed to perform requested transaction,
to the policy/quote submission page only.
7 Usability
7.1
Documents distributed to internal Client users will be viewable in their native format. Documents distributed
outside of Client such as to Agents/Agencies will only be viewable in a non-modifiable format, i.e. PDF.
Exception to this will be the Quote letter which will be produced in either PDF format or Word format.
7.2
Adobe Acrobat format. All Acrobat Reader functionalities once a document has been downloaded (thumbnail,
find, print, save, zoom, page forward, etc.) will be available to the user through the Adobe Acrobat Reader
application.
7.3 User will be able to designate the “Save location/Folder” if they choose to download the document.
5.1.16
5.1.17
5.1.9
5.1.15

7.4
Reports should be printable, exportable to Excel, sortable by column, and given the option of reporting % or
cumulative
7.5 Display on reports and report generation screens the data current as of date
7.6 Save Report Parameters for interactive and scheduled report requests
7.7 Report time related events based on local time – do not only show CST
Client Corporate Browser Support
The Corporate Standard for the IE browser is as follows:
Internet Explorer > 6.0
Internet Explorer 5.0
Firefox
Windows XP SP1 or SP2
Windows 2000 (Internet Explorer 6.0 SP1)
Windows 2003 (Internet Explorer 6.0 SP1)
Client Central is best viewed with Internet Explorer 5.5 or greater and any Netscape version.
The system should be easy to use.
General Usability Requirement.
7.1
In order to ensure that consistent styles are used through the Agency Portal site for any content that is published,
the eWebEdit Pro tool within VCM should be configured so that usability options, such as Bold, Underline, Font
Size, etc. will be procedurally enforced to ensure the content administrators should come through the style sheets,
which will be created and maintained by Corporate Communications
7.11 Note: There is no guarantee of consitent style for external applications linked through the portal
6.9 Ability to click on a row in a report to display the next level of detail or navigate to specified report
8 Training and Help
8.1 Help
8.1.1 Access to page level help information should be available to users of policy center
8.1.2
On-line reference material by process function should be available to users of policy center. This includes web
based training
8.2 Training Ability to have training material
8.2.1 [SEE SP1 DOCUMENTATION. INSERT THESE REQUIREMENTS GATHERED HERE]
8.2.2
Training must be developed explaining the process for updating, reviewing, and publishing content with the help of
the SBW content administrator (see section 3.01) and the Deployment Lead on the project.
9 Disaster Recovery
9.1 Recovery
9.1.1 Policy Center will be RTO Level 2 application - high available application supporting critical business functions.
9.1.2 Reporting functions will be RTO Level 3 application - Adv Recovery 25-72 hours
9.1.3 Refer to DR Worksheet for requirements and support for underlying components.
9.1.4
A plan for disaster recovery of Policy Center and related components should be created as part of the
construction phase and tested after release into production.
9.1.5
System Data Recovery - A disaster should not cause a loss of any system data, with the exception of “unsaved”
entries by a user at the time the system went down.
All critical enterprise system functions with regard to security, monitoring/manageability, and dependent Client
systems must be recovered.
*Addresses the fact that the WebSeal, Amberpoint, and AMSI Application and Enterprise Services must also be
recovered within the timeline above, although some of these are ‘enterprise’ level and not ‘application’ level
components.
9.1.7 Agency Portal will be RTO Level 2 application - high available application supporting critical business functions.
9.2 Backup
7.8
7.9
9.1.6

Ability to back up data that supports the business process nightly. This data includes: Policy Data in the source
systems (TAP/WC Pledge), Underwriting data in Policy Center, User Role/Permission data in Policy Center,
Electronic Files in Filenet, Activities and Assignments in Policy Center.
The requirement addresses the need to maintaining 2 days of on-site backups.
9.2.2 Need the ability to support transaction level backup capability off site.
9.2.3
Ability to recover from a backup overnight. Any and all components of the Policy Center system will be available
for recovery over night.
9.2.4 Retain underwriting data according to corporate guidelines for document retention for eight years.
9.2.5 Retain reporting data for a rolling 3 years
9.2.6 The system shall support nightly backup - Standard tape backup should be used
9.2.7
The system shall support the ability to replay transaction logs since the last backup to bring the system to the
point of failure.
9.3 Monitoring
9.3.1 Ability to monitor and produce metrics on ams based, agent-user based traffic within the system
9.3.2 Ability to monitor and produce metrics on transactions completed within the system
9.3.3 Ability to monitor availability of the system, functions and components
9.3.4
Need the ability to notify Product Support of server outages, or failing conditions of policy center or dependant
systems.
Production support should be notified immediately before the help desk receives any calls. These servers include
web servers, Message queue servers, Database Servers, Database Gateway servers, Servers where web
services reside. Also included: network switches, Firewalls, routers and load balancers.
If a web server or web-service exhibits signs that signal a potential non fatal problem, such as a reduction in
performance, production support should be notified, but users should be allowed to continue to use the application
and transactions posted accordingly.
Whenever a scheduled job or data feed execute the application should inform the production support team of the
activity processed, any failures and the impact of the failures. For example AMSI will produce a nightly data feed
to Client, when this is completed an e-mail should be generated and sent to the prod support mailbox that
describes the success or failure of the job, the number of records processed, any records that were rejected and
the impact of any failures, meaning can the application continue to run without resolving any errors
9.3.6
The Policy Center application uses message queues to coordinate communication to external data sources. The
application should be aware if the queues are able to accept messages and know the number of messages in the
queue. If the queue is unable to accept or send messasges or if there are more than [50] mesages in the queue
Production Support should be notified.
9.3.7
In the automated process if the same error is received [25] times in a row for a critical business condition (Quote,
XPR, Issue, get Pricing Direction) , the automated process will shut down and notify production support of a failed
condition. It is expected that the condition will be corrected in time for the next night run.
9.3.8
In the automated process if an error is received [25] times in a row for non critical business conditions (ITV,
geocode, standardize address, ) the automated process will notify production support of the failed condition and
the condition is expected to be corrected the next night's processing.
9.3.9
When ever an exception is generated the system should be aware of it, track when it happened, its cause and
how many times this exception has been generated in the past.
9.3.10
The application should generate a report that displays summary information about the system availability
including up time and response time of all components that it is dependant on, on a weekly basis
Need the ability to leverage Bridje centralized exceptions for application-level and service-level outages for
production support alert notification
Bridje.Exceptions is the standard under which application level exceptions are generated and alerted. Production
Support that is notified will be the same production support listed and maintained within the IT Inventory system.
9.3.12
Every time processing control is transferred from the BCF application to any other service or application and
subsequent "hops", the BCF application needs to understand how long it can reasonable wait for control to be
returned and identify when this timeframe is not being met. This will define particular thresholds under which
‘wait’ conditions will apply.
9.3.5
9.3.11
9.2.1

9.3.13
The BCF application uses message queues to coordinate communication to external data sources, as well as
internal MSMQ queuing. The application should be aware if the queues are able to accept messages and know
the number of messages in the queue. If the queue is unable to accept or send messages or if there are more
than XX messages in the queue, or otherwise errant conditions, Production Support should be notified.
9.3.14
The application needs to be aware that any message it is trying to drop in a queue has successfully made it to that queue
and not been lost. (guaranteed delivery) – applicable for external system integration going through queues.
9.3.15
The application needs to have the ability to ensure that the application database and any other datasources which the
application is dependant on are available and that the application can read write and execute to them. If not Production
Support should be notified.
9.3.16
When ever an exception is generated the system should be aware of it, track when it happened, its cause and how many
times this exception has been generated in the past.
9.3.17
Infrastructure should be able generate a report that displays summary information about the system availability including up
time and response time, and system utilization, of all components that it is dependant on, on a weekly basis
Need the ability to log transaction level detail within the application at varying degrees of detail
Supports the notion of having the ability have levels of logging, such as DEBUG, WARNING, ERROR, CRITICAL,
and the ability to change this dynamically.
9.3.19 Need to understand how to manage and tune the BCF application server components.
9.3.20
Content Updates - The system must be able to track information about content changes, including datetime, user,
and change.
10 Archive/Purge
10.1 Data readily available (not archived) - 7 years
Data archived - X years
After data archived timeframe has passed, data is purged.
Note: This is based on whether the ‘business’ determines if these are ‘system of record’ documents, in which
case, the business records-retention needs to apply (or, if Client is the ‘system of record’,then these documents
are just regular database records, and decision on retention is still the business’s call based on how long they
want to keep data around’. Need business to determine if the record of the ‘non-submitted’ transaction needs to
be ‘kept’ according to retention schedule.
11 Legal, Audit & Regulatory
11.1
The system shall capture and store quote submissions for 7 years, in compliance with Records retention
compliance.
The quote submission through the solution is reference data only. The record and associated data are captured
within Client Central.
11.2 The system shall purge/delete stored quote submissions after the period of retention has expired.
The quote submission through the solution is reference data only. The record and associated data are captured
within Client Central.
12 Testability
12.1 Ability for system to be able to be tested and promoted through Client’s channel management process
12.2
This includes test environments (CUT, ETE, etc.), as well as channels (Client unique). Requiring the setup and
manageability
12.3 Listing specific ams test systems that Client will be leveraging
12.4 Ability to support system level component level testing with regard to the performance engineering effort
This is more of a process requirement than a solution requirement, but mentioned here because this requirement
adds additional effort to undertake.
12.5 Ability to test via IVANs and TransactNow through AMSI systems
9.3.18

1 NFR001
Integration
Requirements
The product must comply with Client's integration architecture as documented in
the Domain Architecture for SOA reference document. Please specifically
outline in your response how this could be supported.
Must
The product must support best of breed Computer Telephony Integration (CTI) /
Interactive Voice Response (IVR) products via open telephony standards (e.g.
CSTA, TSAPI, TAPI). Please specify in your response how this could be
supported.
Hold out for the shortlist from Alex Stewart the tender review is beginning next
week (2nd September), should be able to provide shortlist of tenders on 5th Oct.
The product must allow for adding, referencing, linking and searching for
documents held in an external document management system (for example for
the storage and retrieval of documents held against a customer or agreement).
Please specifically outline in your response what support is provided for:
a) IBM Document Manager
b) Vignette
c) Documentum
d) Filenet
The product must include a portlet building capability or portlets for commonly
available portal products (e.g. IBM Portal Server, Microsoft Sharepoint Portal
Server, BEA, Tibco). Please specifically outline in your response:
a) What functionality can be exposed through portlets
b) What is your recommended implementation strategy with an external portal
The product must integrate with GIS systems (e.g. Client usees Smallworld)
using open standards (e.g. Web services and JMS). Please specifically outline
in your response:
a) What out of the box integrations to GIS are supported
b) What integration is supported specifically to Smallworld
6 NFR008
Integration
Requirements
The product must provide open interfaces to create, send and update service
requests to and from an enterprise asset management system (for example to
generate a work order in IBM Maximo from a service request in the CRM
package). Please specifically outline in your response how this could be
achieved.
Must
Integration
Requirements
Must
4 NFR006
3 NFR005
Integration
2 NFR004
Integration
Requirements
Must
5 NFR007
Integration
Requirements
Must
Integration
Requirements
Must

The product must integrate with external BI tools that are not proprietary to the
vendor (e.g. Crystal Reports). Please specifically outline in your response:
a) Which external BI products and versions the product supports
b) The duration for which these will remain supported
Client's standard data warehouse is Oracle 10G R2 64 bit with OLAP and
Partitioning options on Sun Solaris 10.
The product must support orchestration by an external BPM engine e.g. IBM,
BEA, Tibco or Sun. Please specifically outline in your response:
a) What CMS services can be orchestrated by an external engine
b) What BPM standards are supported
The product could interface with Client's office automation software (Groupwise
and potentially MS Outlook) for the creation of diary entries/appointments and
synchronisation of contacts. Please specifically outline in your response:
a) What OOTB integration is provided for MS Outlook and Groupwise
b) The duration for which these products will remain supported
c) Any known limitations with these products
10 NFR012
Information
Management
Requirements
The product must provide accessible data and meaningful metadata. The
product should therefore be able to expose underlying data making it accessible
and meaningful. Please specifically outline in your response how this is
supported. Including physical/logical views accessible in CA Erwin.
Must
11 NFR016
Information
Management
Requirements
The product should be able to manage and enact Client's data retention
policies, as outlined in the State Records Act (1998) and State Records
Regulation (2005). Please specifically outline in your response how this is
supported.
Must
12 NFR017
Information
Management
Requirements
The product must guarantee transactional integrity. The product must not allow
any data inconsistencies to arise as a result of system failure during batch
processing or user input. Please specifically outline in your response how this is
supported.
Must
13 NFR015
Information
Management
Requirements
The solution should allow the use of National Post accredited Delivery Point
Identifiers (DPIDs) with addresses. Please specifically outline in your response
how this could be achieved.
Should
14 NF082
Information
Management
Requirements
The solution must support CCRD line of business reporting (please refer to
detailed reporting requirements)
Must
The solution must provide the ability to support the creation and maintenance of
a use-case driven single view of customer and a single view of property. Please
specifically outline in your response:
Integration
Requirements
Must
8 NFR003
Integration
Requirements
7 NFR010
Information Management
Information
Must
9 NFR009
Integration
Requirements
Could

a) how this could be delivered
b) examples of how this has been achieved in the past
c) what (if any) third party tools typically fulfill this requirement
16 NFR018
Adaptability
Requirements
The product must allow custom event handlers to be specified to capture events
and changes to base functionality. Custom event handlers should be configured
by scripting without the need for changes to source code. Please specifically
outline in your response what customisation and extension capabilities are
provided.
Must
17 NFR019
Adaptability
Requirements
The product should provide support for multibyte character sets e.g. Unicode,
UTF-16 for portal users. Please specifically outline in your response how this is
supported.
Should
The product must be able to support the technology that enables the availability
requirements of F52. The solution should achieve an availability of 99.7% over
24 hours by 7 days (with a planned maintenance window of 2am to 5am).
Please specifically outline in your response:
a) How are new releases of the product managed
b) Does the product support hot deployment
c) Does the product support hot backup/restores.
d) How this availability target could be achieved
19 NFR021
Auditability
Requirements
The product must provide audit functionality based on a configurable rule set.
All activities should be loggable at a verbose level, and traceable to an individual
process or unique user ID. It should be possible for any activity to be directly
traceable back to the originator (whether this is a person, or a system service).
Please specifically outline in your response how this is supported.
Must
The product must be able to operate in the Client environment (as documented
in the Technical Architecture Product Domain Standards and Desktop Product
Standards). Please specify any known incompatibilities which would affect
integration with the SOE and in your response outline:
a) All applications and version numbers which have known incompatibilities with
your product
b) Whether a fix is planned for the incompatitability and the estimated timeframe
for release
15 NF083 Management
Requirements
Must
Should
Auditability
Supportability
20 NFR023
Adaptability
Availability
18 NFR020
Availability
Requirements
Supportability Must

The product must support integration with Client systems without manual user
intervention, unless there is an error in processing. Soft errors (i.e. temporary
connection failures etc) should be automatically resolved through automatic
retry mechanisms.
a) How are errors handled
b) How are they followed up
c) How are they prioritised
d) What logging information is provided
22 NFR027 Useability
The product must provide appropriate (electronic and searchable) user and
administrator documentation. Documentation should include user guides,
administrator guides, troubleshooting guides, context sensitive help and online
tutorials. Please specifically outline in your response what documentation is
supported.
Must
23 NFR025
Solution Monitoring
and Alerts
The product should provide all log files in a format readable by HP Openview
ESM software. Log files should be accessible in a legible, delimited and human
readable format for easy analysis.
Should
The product must allow the UI to be set up based on user roles and
organisation groups, which should include, but not be limited to:
a) Menu items
b) Screen tabs
c) Tab layouts
d) Administration forms
e) Field level data entry
The product must display feedback mechanisms when long running tasks are
executing. The definition of a long running task is a task that takes longer than
10 seconds to complete. Please specifically outline how this is supported.
Must
The product must be implemented in such a manner that it does not prevent
multi-tasking taking place on user workstations.
Must
The product must provide mechanisms to enable compliance with the
requirements of The Disability Discrimination Act 1992 (DDA) as they relate to
accessibility to IT systems.
Must
The product should support the changing of display of static or dynamic content
based on the localisation settings held against:
a) The client workstation
b) The server locale
c) The specific user's preferences
Must
Useability
21 NFR024 Supportability
Must

Localisation settings should include (but not be limited to):
a) Language
b) Font sizes
c) Formatting of fields such as date/time, currencies and numbers
Where no locale setting is specified, the product should render locale specific
content in the default locale
The product should allow encoding of URL links for bookmarking and insert into
emails and other types of documents. When followed the link should return the
user to the form from where the link was saved, with the specific record
retrieved. In cases where the bookmark/link is created at a step within a multi-
step, wizard like process, it is acceptable to direct the user to the page at the
beginning of the process. Please specifically outline how this is supported.
Should
The product should provide <alt> tags for all images so that page display is
meaningful when images are turned off in the browser. Please specifically
outline how this is supported.
Should
The product should provide a user interface that makes appropriate use of
screen real-estate for the functionality being provided. Please specifically
outline if the following features are supported:
a) When the browser window is resized, pages must adjust to the changed
window size.
b) When displaying columns in a table format, the width of columns should be
adjustable to fit the content
c) The order and visibility of columns should be configurable
The product should support the use of predictive input or "quick fill" input
controls. For example it should be possible to search for an address by typing
"Bal" and the solution would suggest "Balmain", "Balgowlah" etc. As additional
characters are entered the product shall narrow down the pick list of matches.
Please specifically outline how this is supported.
Should
The product should include a documented product roadmap, supporting
infrastructure roadmap and decommissioning strategy for the expected life of
the solution. The product should be backward compatible (I.e. newer versions
of the product covers all the functionality of the earlier versions). Please
specifically outline:
a) on what timeframes are service packs released
b) what categories are used for reporting bugs
c) on what basis are emergency patches released
31 NFR034 Useability Should
Maintainability
33 NFR040
28 NFR029 Useability Should
Maintainability Should
Security

The product must support identity and access management products and
standards e.g. Active Directory, LDAP, Tivoli Identity Manager and Tivoli
Access Manager. Please specifically outline in your response:
a) Which version numbers of the product outlined above are supported
b) The duration for which these versions will remain supported
c) How does the product support SSO authentication
35 NFR043 Security
The product must allow audit logging of all login/logout events, retries, failures
and optionally (successes). The level of logging detail must be configurable by
a systems administrator. Please specifically outline in your response how this
is supported.
Must
36 NFR045 Security
The product must secure the use of application sessions to store state
information such that it is not possible for a user's session to be used by
another. Please specifically outline in your response how this is supported.
Must
37 NFR046 Security
The product must support session timeout after a specified configurable period
of inactivity. Where no timeout is configured the default timeout shall be 30
minutes. Please specifically outline in your response how this is supported.
Must
38 NFR048 Security
The product must limit user access to authorised parties. The product must
prevent users and external parties from viewing or accessing application
functionality and data that is unauthorised for that user or system. Please
outline in your response how this is supported.
Must
The product should support the following access principles:
a) Multiple active sessions with the same user ID
b) The expiration of all active sessions if the user elects to log out
40 NFR050 Security
Please state whether any security accreditation has been granted for the
product or any of its components, either through an independent analysis &
assessment, or through government bodies.
Should
41 NFR051
Architecture
Requirements
The product must run on modern n-tier based architecture, zero footprint client
and separation of database and application server. Please specifically provide
with your response a high-level system architecture view that illustrates that the
product fulfils this requirement.
Should
42 NFR052
Integration
Requirements
The product should allow for a loosely coupled architecture via a service
oriented approach. Please specifically outline how your product is designed to
achieve this.
Should
Security Must
39 NFR044
34 NFR042
Security Should
Architecture
Performance

The product must meet appropriate response times over the Client LAN and
average user load. For example:
a) Loading a form: 3 - 5 seconds
b) Searching for a customer: 2 seconds
c) Performing complex searches on multiple search criteria (including wildcards
etc): 10 - 30 seconds
d) Tabbing between fields: negligible
The delay between user request and initial response should be no more than 2 -
4 seconds, where a process is going to take a long time (more than 10 seconds)
a progress bar or other feedback mechanism should inform the user of the
delay. Please specifically outline in your response how these performance
targets could be achieved.
44 NFR057
Performance
Requirements
The product must manage all administrative tasks and batch jobs etc without
adversely affecting the experience/responsiveness of the solution for interactive
users. Please specifically outline in your response how this is supported.
Must
The product must be scalable to support the expected number of users and
transactions. Expected support the minimum number of Contact Centre calls as
per the following:
a) 100 concurrent calls
b) 5,000 calls per day
c) 20,000 calls per week
d) 660 system users
e) 80 call centre users
Waiting for statistics on user, scalability figures, which need to cover:
Number of concurrent sessions
Number of system users
Number of concurrent calls
Number of calls per week, per month per year (low, high, peak)
How many sites
Expected growth
Performance
Requirements
Should
Scalability
45 NFR060
43 NFR055
Scalability Must

What would the approach be to support this? Vertical/Horizontal scaling? etc.
The product must allow monitoring by HP Openview. Please specifically outline
in your response:
a) What solution monitoring is available
b) What, if any, smart plugins are available for HP Openview
c) What solution monitoring is recommended
47 NFR064
Solution Monitoring
and Alerts
The product must support user behaviour logging to allow statistical analysis of
usage trends. Please specifically outline in your response how this is supported.
What tools (if any) are required for presentation and analysis.
Must
The product must allow authorized system administrators to view the following
information:
a) Version and patch number of major components
b) Read only access to all standard product and custom application property
files
49 NFR067
Infrastructure
Requirements
Please outline the minimum and preferred technical specifications for the
database, application servers and client workstations given these functional and
non-functional requirements. Your response should include but not be limited to
memory, hard disk, CPU, operating system (and patches levels), other software
required and expected network latency.
Must
The product must support common browser software. Please specifically
outline in your response:
a) Which browsers and version numbers are supported
b) Which plug-ins are required
The product must support a minimum screen resolution of 800x600. Common
screen resolutions (between 1024x768 and 1600x1200) should be supported
without the need for a horizontal scroll bar.
Must
52 NFR066 Security
The product must be able to run in a zoned architectural environment (External,
External DMZ, Internal DMZ and Trusted). Specifically, the application and
database servers must be able to run in separate network groups protected by
stateful firewalls. The product should support the use of transport layer
encryption such as SSL, TLS, Web services over HTTPS etc. Please
specifically outline in your response how this is supported.
Must
53 NFR069
Infrastructure
Requirements
The product should provide support for disconnected (store and forward) and
handheld devices such as Laptops, Tablet PCs, PDAs, cell phones, and
BlackBerrys. Please specifically outline the devices supported.
Should
Solution Monitoring
and Alerts
Must
48 NFR065
Solution Monitoring and Alerts
46 NFR063
Infrastructure
Requirements
Must
Solution Monitoring
and Alerts
Must
Infrastructure
50 NFR068

54 NFR072 Licensing
Where the product uses third party software it must be covered by a current and
valid license agreement.
Must
The product must be able to meet the business requirements and objectives
with minimal customisations (changes to source code) based on the CMS
Scope & Capability Framework . Please specifically outline in your response:
a) If any components of the CMS solution would require changes to source code
b) Provide indicative man-day estimates for such source code changes
c) How would these customisations survive a product upgrade
56 NFR074
Software
Components
All product components considered for the CMS solution must be available on
the same versions of supporting software and operating systems to maintain
consistency and reduce complexity. eg: all proposed modules should be
running within the same application server and database versions.
Must
57 NFR076
System
Development
Lifecycle Approach
The product must allow concurrent team development i.e. multiple developers
may work on the product at the same time (and test changes in isolation).
Please specify outline the change control and version management tools
available with the product.
Must
The product should allow customisation without the need for 3rd party tools.
a) If any 3rd party tools are required
b) The supported version number(s) of any tools, if applicable
59 NFR077
System
Development
Lifecycle Approach
The product should align with Client's standard development languages i.e.
Java/C#/ASP/HTML. Please specifically outline in your response what
languages can be used to customise the product.
Should
60 NFR078
Release
Methodology
The product must provide a tool for applying service packs and hot fixes. It
should be possible to deploy updates within available maintenance windows.
Must
61 NFR079
Release
Methodology
The product should provide a tool for determining the applicability of rolled up
service packs.
Should
62 NFR080 Backup/Restore
The product must allow all data and configuration files to be backed up and
restored in line with Client's standards and schedules.
Must
63 NFR081 Backup/Restore
The solution must provide a complete backup capability without incurring any
operational downtime.
Must
Licensing
Software Components
55 NFR073
Software
Components
Must
System Development Lifecycle Approach
58 NFR075
System
Development
Lifecycle Approach
Should
Release Methodology
Backup/Restore

End of Section Non Functional Requirements.

Ref Requirement Description Priority
Hosting Services
A1 NFR001 The Supplier must provide a specification of the hardware, network and other infrastructure components required to
operate the application to the level of performance specified in the non-functional requirements for sub-package A2.
M
A1 NFR002 The Supplier must provide proposals (for existing solution functionality) which would support Client to achieve its
objective of becoming a paperless organisation.
M
Training Services
A1 NFR003 The Supplier must provide training for Users so that they can effectively and efficiently use the IT services. The level of
training given will reflect the work needs of individual Users and will include advanced training if necessary. The Client
will be responsible for providing training rooms, the Supplier will provide all IT and other equipment necessary for
carrying out the training. Requirements for training will be agreed as part of the Implementation Plan.
M
A1 NFR004 Training must include: M
A1 NFR005 Training for Users prior to the introduction of the information services; M
A1 NFR006 Training for Users changing role who need to use information services that they have not previously been trained to
use;
M
A1 NFR007 Training prior to any major change to the information services, so that Users can work effectively following the
change;
M
A1 NFR008 Refresher or additional training as required to eliminate major sources of error or requests for assistance. M
A1 NFR009 A training suite and system resources in accommodation provided by the Client to allow training to be undertaken
away from the normal workplace and, where appropriate, on an anonymous dataset. The capacity of the training
facilities will be aligned with the implementation proposals.
M
A1 NFR010 Training must cover all office systems introduced, supported and provided by the Supplier. M
A1 NFR011 Users must have access to support material at the point of use, for example in the form of an online manual. M
A1 NFR012 All training must take into account the existing abilities of the Users to be trained and the competencies required from
adequately trained Users, according to their roles.
I
A1 NFR013 The Supplier must carry out a training needs analysis prior to the development of any training course or material. The
analysis shall identify the competencies required by Users after training and the skills and capabilities of the staff to be
trained.
M
A1 NFR014 A training plan must be developed by the Supplier and agreed with the Client, taking into account the requirement for
minimal disruption to the Client business and services while training is undertaken.
M
A1 NFR015 Training should result in Client staff possessing the capabilities identified in the training needs analysis. The Client and
the Supplier will develop and agree objective measures for the purpose of measuring the level of capability achieved.
D

A1 NFR016 The Supplier must provide all training materials in a form that they can be tailored by the Client using standard
commercial software tools.
M
A1 NFR017 The Supplier must ensure that the training and 'sand pit' instances of the System are manageable and auditable by
Client.
D
A1 NFR018 The Supplier must provide course syllabuses that detail the course content and any pre-qualification or competency
requirements in advance of the go-live date for Client review and approval.
M
A1 NFR019 The Supplier must identify and inform Client of any ongoing, refresh or update training required during the life of the
supplied System within seven days of identification as a result of reported Incidents or change control.
M
Local network Performance
B D071 The IT Infrastructure service will be available 24 hours per day and 7 days per week with levels of availability to be provided as
follows: M
B D072 99.0% during Core Hours (a definition of availability is provided in Schedule 3 (Charges and Financial Requirements);
M
B D073 95% of all other times excluding planned downtime for maintenance as previously agreed with the Client. M
B D074 The average response time for static pages (pages on the intranet that always send back the same response for a given request)
must be within the agreed service level. M
B D075 The response time for dynamic pages (pages on the intranet that send back customized content on a response to a user request.
For a given request, different responses may be sent back to the user depending on the user’s profile, and the user inputs on the
M
B D076 The Client requires the Supplier to maintain the IT infrastructure services within agreed benchmarks for the following:
M
B D077 Printing quality and efficiency as agreed. M
B D078 Performance of office and business software. M
B D079 Except by agreement with the Client, office software will be maintained to be no more than one major release behind the current
version. M
B D080 All Client Users should be on the same release of all software. M
Local IT Reliability
B D088 The number of disruptions to IT infrastructure services is to be minimised. Specifically: M
B D089 All planned disruptions to IT infrastructure services must be authorised in advance by the Client. M
B D090 Planned activities that disrupt IT infrastructure services are to be undertaken outside Core Hours, unless otherwise agreed,
such agreement not to be unreasonably withheld. When planning maintenance that will affect facilities that are open
outside these M
B D091 An agreed number of business days notice is to be given to the Client of planned maintenance affecting Users access to IT
infrastructure services unless otherwise agreed, such agreement not to be unreasonably withheld.
M
B D092 At least 30 minutes’ (for example) notice is to be given to (a nominated team / individual within) Client of emergency
activities during Core Hours, or reasonable endeavours outside Core Hours unless otherwise agreed, such agreement not
to be unreasonably wi M

B D093 A quarterly survey will be undertaken by the Supplier using a sample of 100 Users (number to be agreed) who have contacted the
Supplier’s help desk. The Supplier will agree the content of the survey with the Client in advance. 95% of sampled Users should be
M
B D094 The Supplier is to ensure that more than 85% of IT infrastructure services Users are satisfied with the level of service, on the basis
of a six-monthly survey. M
B D095 A complaints procedure will be agreed with the Supplier and in the first instance the User will log all User complaints with
an authorised officer of the Authority. M
B D096 An escalation procedure will be agreed between the Authority and the Supplier and this will be invoked in the event that
the agreed service standard is not met. M
Security
A1 NFR072 The Supplier must prepare and agree with Client a Security Policy which provides for: M
A1 NFR073 Development and maintenance of security policies and procedures and training Users in connection with their
security responsibilities;
M
A1 NFR074 Provision, operation and maintenance of mechanisms to protect the confidentiality and integrity of the Client’s data; M
A1 NFR075 Undertaking the Data Protection liaison officer role for the services used by the Client, as set out in the Data
Protection Action services section of this work package
M
A1 NFR076 Physical security in relation to assets located on Client Sites M
A1 NFR077 The Security Policy must describe: M
A1 NFR078 The information and other assets to be protected; M
A1 NFR079 The threats to those assets and of the vulnerabilities of the systems; M
A1 NFR080 How the assets are to be adequately protected; M
A1 NFR081 Any assumptions which underpin the Security Policy; M
A1 NFR082 Security roles and responsibilities, both within the Supplier and within the Client; M
A1 NFR083 Circumstances that would trigger revision of the Security Policy. M
A1 NFR084 The Supplier must develop and maintain security operating procedures that describe the way in which the Users are to
use the systems and infrastructure.
M
A1 NFR085 The Supplier must use reasonable endeavours to ensure that all new and existing Users in receipt of the New Services
understand their security responsibilities in connection with receipt of such services before they are provided with
access to such services.
M
A1 NFR086 The Security Policy should be reviewed jointly on an annual basis by the Client and the Supplier and revised if required.
The review will take place more frequently if required. The Supplier may propose to the Client for agreement any
recommended changes to the policy.
D
A1 NFR087 The Security Policy must be updated by the Supplier in agreement with the Client following any changes to systems or
infrastructure that requires revision of the policy.
M
A1 NFR088 The Security Policy should be jointly reviewed and if necessary updated following any breach of security. D
A1 NFR089 The Security Operating Procedures should be jointly reviewed annually and revised if change is required. D

A1 NFR090 The Supplier must design, operate and maintain the Services in compliance with the agreed Security Policy. This must
include:
M
A1 NFR091 Protecting against malicious software, including viruses, being found on the infrastructure; M
A1 NFR092 Protection against unauthorised persons (e.g. hackers); M
A1 NFR093 Protection against accidental loss of data, including loss of data caused by equipment failure or User action. M
A1 NFR094 The Supplier must use reasonable endeavours to ensure that any data or application introduced onto the IT application
and in compliance with the Security Policy by an authorised User is checked and only allowed on to the IT application if
it is confirmed to be free from malicious software (e.g. viruses).
M
A1 NFR095 The discovery of malicious software on the system must be treated as a High Priority fault. I
A1 NFR096 The Supplier must ensure that it is possible to limit access to individual datasets or application services to specified
individuals or groups.
M
Documentation
A1 NFR097 The Supplier must develop and maintain system documentation describing all of the systems and procedures used to
provide services to the Client. Documentation framework must be to a recognised industry standard (e.g. ITIL,
ISO9000).
M
A1 NFR098 This documentation must include, for all systems used to provide services to the Client: M
A1 NFR099 The location and configuration of the system, including details of the hardware, operating system and any bespoke
or packaged software;
M
A1 NFR100 Design documentation. M
A1 NFR101 The Supplier must deliver one full copy of any system documentation relating to application components or systems that
are functioning in the live environment within five Business Days of being requested to do so by the Client.
M
A1 NFR102 All documentation issued by the Supplier must be produced, issued and changed in a controlled manner. Each
document, drawing or specification must clearly state the title, author, date and issue.
M
A1 NFR103 All documentation issued by the Supplier must be subject to review and approval by Client. The Supplier must note that
Client requires ten working days to review each deliverable document (and each subsequent revision of rejected
documents) and should build this into their plans.
M
A1 NFR104 All documentation must be provided electronically (and in editable form) with a remit that the Client can, without any
charges, reproduce and make available the documentation for use by the Client's staff and agents.
M
A1 NFR105 All documentation must be in the English language. M
A1 NFR106 Each software update and release during the development and testing lifecycle must be accompanied by release notes
giving a detailed explanation of the changes and the problems fixed. They must clearly identify removed functionality,
issues that remain outstanding and provide regression test logs. Release notes to be provided a minimum of five
working days before the scheduled install date.
M
Configuration Management
A1 NFR107 The supplier should use a configuration management system for the duration of the contract. All equipment and
documentation associated with the contract should be placed under configuration management.
D
Interfaces

A1 NFR108 The system should interface with: I
A1 NFR109 Client’s finance system (Sage), for collecting and reimbursing/crediting fees I
A1 NFR110 Client’s HR system, for organisational details I
A1 NFR111 Operational systems in the seven approved regulators for cross-referrals I
A1 NFR112 Initially these interfaces will be manual and will only require a report to be either produced or uploaded I
Tools
A1 NFR113 The system must provide the capability to: M
A1 NFR114 Scan all documents received and attach them to a case; M
A1 NFR115 Use shared email accounts; M
A1 NFR116 Record time spent by individual team member; M
A1 NFR117 Centrally print and distribute letters; M
A1 NFR118 Allow case tracking milestones to be set (and reset) during the progress of a case; M
A1 NFR119 Support team leaders in managing workload among their team members, and generally across teams (for example,
to show current and forecast workload by team member);
M
A1 NFR120 Allow complainants to track progress of their case via the Client website; M
A1 NFR121 Enable the submission of information (from third parties) to Client through an on-line form accessed via the internet; M
A1 NFR122 Exchange documents without using email; M
A1 NFR123 Upload and download data from an Excel spreadsheet; M
A1 NFR124 Store and retrieve physical documents related to cases (but not scanned or held electronically). M
Testing
A1 NFR125 The supplier must develop a test strategy to be agreed by Client. The intention will be for testing to include the
following:
M
A1 NFR126 Unit testing (testing that individually developed components perform to specification) M
A1 NFR127 System testing (testing that components that form an end-to-end business process perform to specification) M
A1 NFR128 Integration testing (testing that the overall solution integrates with external systems as specified) M
A1 NFR129 Performance testing (testing that the system performance in live-like conditions is to specification) M
A1 NFR130 User acceptance testing (testing that the complete user solution performs to specification) M
A1 NFR131 The Supplier must provide support to the Client Test Teams to resolve defects found during testing M
A1 NFR132 The Supplier must respond to testing defects found with a fix within a time to be agreed with Client. M
A1 NFR133 The Supplier must provide back-up, restore and cluster testing scripts to Client when required M
Reporting
A1 NFR134 The supplier must provide a report-writing capability to produce management reports from the system. Types of report
required include:
M
A1 NFR135 Current workload and case status within teams – to support team leaders in resource management M

A1 NFR136 Time taken to progress cases – to inform KPI and external reporting M
A1 NFR137 Analysis of case outcomes by case type (for example matrimonial, immigration, property) – to inform feedback to the
industry
M
A1 NFR138 Analysis of time taken by case type (for example matrimonial, immigration, property) – to inform feedback to the
industry
M
A1 NFR139 Analysis of overdue actions by team and team member – to inform internal management M
A1 NFR140 Analysis of case durations beyond a target duration – to inform internal management M
A1 NFR141 Analysis of call duration and response times by team and team member – to inform internal management M
A1 NFR142 Analysis of workload completed by each staff member – to inform performance management M
Accessibility
A1 NFR143 The system should support Windows Accessibility options such as Display Setting, Accessibility Tools and third-party
Accessibility Windows-compatible programs such as:
D
A1 NFR144 Dragon Naturally Speaking V5&6 D
A1 NFR145 Dragon Dictate Naturally Professional Speaking V.4 D
A1 NFR146 Dragon Dictate Naturally Speaking “Deluxe Edition” D
A1 NFR147 WindowEyes V3.1 D
A1 NFR148 SuperVista D
A1 NFR149 Vista SVGA D
A1 NFR150 Lunar SVGA D
A1 NFR151 JAWS for Windows D
A1 NFR152 OSCAR OCR D
A1 NFR153 Kurzweil OCR D
A1 NFR154 Screen Power for Windows D
A1 NFR155 NanoPacs Zoomtext. D
A1 NFR156 The system must help users with disabilities - for instance the workflow system should use colours to denote the priority
of workflow items accompanied by a numeric code to fulfil disability guidelines.
M
A1 NFR157 It should be possible to enable the system to display larger fonts and icons within the work environment. D
Data Management, Interfacing and Integration
A1 NFR158 The Supplier must provide analysis and design models as agreed with the project team. M
A1 NFR159 It must be possible to configure the solution to disable the maintenance of those data sets identified as master data sets
or reference data M
Data Storage and (Audit) Logging
A1 NFR160 All data relating to cases must be held on-line for twelve months following case completion, and off-line for six years
following case completion
60
A1 NFR161 For off-line retention data must be stored and available for search and retrieval from Client workstations using tools or
software currently in use within Client.
M

A1 NFR162 Audit and MIS must shall be capable of being archived into a separate database on physically separate hardware to the
Production System to ensure that data retrieval is always possible and does not impact any of the live services.
M
A1 NFR163 The System must allow for user permissions to be granted to MIS and Audit Data independently from Production Data. M
A1 NFR164 Audit must shall contain the previous and new values for each attribute and record impacted by the generating
transaction along with a transaction type.
M
A1 NFR165 There must be timestamps recorded for each transaction showing when a transaction originated and when it was
logged on the database.
M
A1 NFR166 The System must archive the data for entire events once they are over the required on-line retention period. M
A1 NFR167 The System must allow the data for entire events to be identified for exclusion from data archiving processes when they
are over the retention period by marking that event.
M
A1 NFR168 All calls must be recorded and retained for [three months]. Calls must be attachable to a case file. M
A1 NFR169 Anonymised data, for research purposes, should be held on-line for three years following case completion, and off-line
for ten years following case completion
D
Warranty
A1 NFR170 The Supplier must propose an approach to the management and performance of their warranty obligations. M
A1 NFR171 The Supplier must perform its warranty obligations in a manner that is consistent with the requirements in this SoR as
they applied prior to System acceptance. M
A1 NFR172 The supplier shall confirm acceptance of, and provide an initial response to, warranty incidents raised by Client within a
defined period. M
Software Licenses
A1 NFR173 The Supplier must provide details of all software licences that will be required by Client to implement the solution.
M
A1 NFR174 The Supplier must provide to Client all the necessary software licences for all other components of the System and its
interfaces, and these shall be included within the service costs together with any periodic support or maintenance costs
for the contracted period. M
Project Management
A1 NFR175 The Supplier must provide a dedicated, full-time Project Manager who shall progress the Supplier's contractual
obligations and be the focal point for communications between the Client's representatives and the Supplier for the
duration of the implementation project.
M
A1 NFR176 The Supplier's Project Manager shall be given the necessary authority and support to ensure that all work executed by
the Supplier, and any Supplier Subcontractor if appropriate, complies with the required specifications and is completed
in accordance with the agreed Project Management Plan. M
A1 NFR177 The Supplier will report to the Client Programme Manager. The Client Programme Manager is responsible for ensuring
that all elements pertaining to the execution of the implementation project are carried out. I
A1 NFR178 The Supplier should use a project management methodology which aligns with PRINCE2. D
A1 NFR179 The Supplier must describe the development methodology and approach that will be used M

A1 NFR180 The Supplier must provide a Project Management Plan (which includes a separate Gantt chart), that details how this
project will be configured, built, piloted and rolled out within the timescales identified. The schedule will be reviewed and
approved by the Client Programme Manager. M
A1 NFR181 The Supplier must provide evidence of relevant experience for key staff who will be responsible for delivery of the IT
system. A CV (with details of duration and timing of relevant experience) for each shall be provided. M
A1 NFR182 All written communications in regard to the contract must be between the Supplier's Project Manager and the Client
Programme Manager or his/her nominated representative. D
A1 NFR183 The Supplier's Project Manager, and required supporting team members, shall attend appropriate progress meetings
with the Client Programme Manager and relevant staff. The dates and times will be mutually agreed and will be no less
frequent than once every two weeks. D
A1 NFR184 The Supplier's key personnel must only be changed with prior written approval from the Client M
A1 NFR185 If any of the Supplier's Personnel fall below the (reasonably) expected professional standard, Client will be able to
request a replacement at any time. I
A1 NFR186 The Supplier must nominate a management representative, with the authority to resolve all matters pertaining to quality
M
A1 NFR187 At all times the Supplier must be responsible for the quality of the System, equipment, service, delivery, maintenance
and any training supplied during the contract. This shall include all sub-contractor supplied material or services.
M
A1 NFR188 The Supplier must maintain a quality plan for the project, agreed with the Client Programme Manager, to the satisfaction
of the Client Programme Manager, showing how the Client requirements will be met. M
Audit and Non-Conformance
A1 NFR189 The Supplier must permit access for Quality Audits M
A1 NFR190 Where Client identifies non-conformances during audits, the Supplier shall undertake corrective actions as directed by
the Client within time limits set by the Client
(Corrective actions undertaken by the Supplier as a result of non-conformances being discovered during a quality
assurance audit or other review, shall be treated as part of the original scope of work and the costs shall be deemed to
be part of the contract.) M
Supplier's Health and Safety Policy
A1 NFR191 Suppliers must supply copies of their health and safety policy. M
A1 NFR192 The Supplier must state that they take responsibility for any agent or sub-contractors acting on their behalf when
carrying out any works or supplying any goods or services to the Authority as a result of this statement of requirement.
M
A1 NFR193 Suppliers and the subsequent contractors must satisfy themselves that the policy, practice and procedures of their
Suppliers, sub-contractors conform to an acceptable standard before their Supplier or sub-contractor undertakes work
as part of any contract awarded as a result of this statement of requirement. M
Information Required

A1 NFR194 If suppliers intend to sub-contract any of the work involved with the manufacture of the goods/service please specify:
a) How long have the sub-contractor(s) been used
b) On what criteria is theselection of sub-contractors based?
c) What is the normal duration of contract with sub-contractors?
d) Who monitors the sub-contractors' performance?
e) We are also committed to policies and action that will make sure our employees and the people we serve are not
discriminated against because of their disability, race, colour, ethnic origin, religion, age, sexuality or gender. Suppliers
should explain how these principles are applied in the selection of sub contractors.
M
A1 NFR195 Suppliers should identify any conflict of interest or potential conflict of interest between the Supplier and its ability to
deliver the Service as in Schedule 5 of the Development Services Framework. M
A1 NFR196 Suppliers should must the manufacturer of all goods proposed and the country of manufacture. M
A1 NFR197 Suppliers should detail wheether, thin the last three years,hthe company has:
a) Appeared before an employment tribunal?
b) Been prosecuted for any breach of employment regulations?
c) Been prosecuted for, or been the subject of any investigation in respect of, any alleged breach of regulations relating
to equality of treatment, relating to pay, ethnicity, disability or gender?
Please answer Yes or No in respect of a), b) and c).
Suppliers should provide details where there is a Yes answer to any of the questions and explain what remedial action
has been taken as a result. M
A1 NFR198 Suppliers should confirm acceptance of the Core Terms and the amendments to the Core Terms set out in Annex E.
Any Supplier proposed amendments shall be limited to those which provide best value. M
General
A1 NFR199 The system must provide correspondence to customers in the Welsh language where required M
A1 NFR200 The system must have the option to provide correspondence in Braille. M
A1 NFR201 The Supplier must provide details of quality procedures to be applied during each stage of the contract M
A1 NFR202 The supplier’s quality management system should meet the requirements of BS EN ISO 9001:2000 D
A1 NFR203 If Sub Contractors are to be used the Supplier must ensure that management of Sub Contractor(s) and their processes
are compliant with the requirements of BS EN ISO 9001:2000.
D
A1 NFR204 Suppliers should have ISO 14001 certification regarding environmental management D
A1 NFR205 Products sourced within the supply chain for these services must be manufactured ethically, using acceptable standards
of labour and human rights practices.
M
A1 NFR206 The Supplier must have policies against discrimination because of disability, race, colour, ethnic origin, religion, age,
sexuality or gender.
M
A1 NFR207 The Supplier must propose contract performance monitoring processes for use on this contract. M
A1 NFR208 The supplier, system and supplier personnel must comply with the following as appropriate: M
A1 NFR209 Data Protection Act M
A1 NFR210 Disability Discrimination Act (1995, as amended 2005) M

Non Functional Requirements (NFR) Example Sets

Non Functional Requirements (NFR) Example Sets

Recommended

Recommended

More Related Content

More from Flevy.com Best Practices

More from Flevy.com Best Practices (20)

Recently uploaded

Recently uploaded (20)

Non Functional Requirements (NFR) Example Sets