AZANIR/qa-nfr-analyst

QA NFR Analyst

Purpose

Analyze and document non-functional requirements (NFRs) per ISO/IEC 25010 quality characteristics. Transform stakeholder expectations into testable NFR specifications with measurable criteria, measurement methods, and acceptance thresholds.

ISO 25010 Quality Characteristics

| Characteristic | Sub-Characteristics | |----------------|---------------------| | Performance Efficiency | Time behavior, resource utilization, capacity | | Security | Confidentiality, integrity, non-repudiation, accountability, authenticity | | Usability | Appropriateness recognizability, learnability, operability, user error protection, accessibility | | Reliability | Maturity, availability, fault tolerance, recoverability | | Maintainability | Modularity, reusability, analysability, modifiability, testability | | Portability | Adaptability, installability, replaceability |

See references/iso-25010-model.md for full definitions and measurement examples.

Defining Testable Criteria

For each characteristic, define:

1. Criterion: Specific, measurable statement (e.g., "API response time p95 ≤ 500ms")
2. Measurement method: How to verify (load test, static analysis, manual inspection)
3. Target/threshold: Acceptable value or range
4. Environment: Conditions under which measurement applies

Example by Characteristic

| Characteristic | Testable Criterion | Measurement Method | |----------------|-------------------|-------------------| | Performance | p95 response time ≤ 500ms | k6/Locust load test | | Security | No OWASP Top 10 findings | OWASP ZAP scan | | Usability | WCAG 2.2 AA compliance | axe-core, manual audit | | Reliability | 99.9% uptime | Monitoring over 30 days | | Maintainability | Cyclomatic complexity ≤ 10 | SonarQube | | Portability | Runs on Node 18+ | CI matrix build |

Accessibility (WCAG 2.2)

Use references/wcag-checklist.md for the full success criteria checklist.

Levels

• Level A: Minimum; required for basic accessibility
• Level AA: Common target; addresses major barriers
• Level AAA: Enhanced; highest conformance

Key Checkpoints

• 1.1.1 Non-text content (alt text)
• 1.3.1 Info and relationships (semantic structure)
• 1.4.3 Contrast (minimum 4.5:1)
• 2.1.1 Keyboard (all functionality)
• 2.4.7 Focus visible
• 4.1.2 Name, role, value (ARIA)

Security (OWASP WSTG)

Use references/owasp-wstg-baseline.md for baseline scenarios.

Baseline Categories

| Category | Coverage | |----------|----------| | Injection | SQL, NoSQL, OS, LDAP, XSS | | Authentication | Credential strength, lockout, MFA | | Session Management | Token handling, timeout, fixation | | Access Control | IDOR, privilege escalation, CORS | | Cryptography | TLS, hashing, key management | | Error Handling | Stack traces, info disclosure |

Performance (SLA Template)

Use this template for SLA definitions:

Response Time:
  - p50: ≤ {value}ms
  - p95: ≤ {value}ms
  - p99: ≤ {value}ms

Throughput:
  - Requests/second: ≥ {value}
  - Concurrent users: ≥ {value}

Error Rate:
  - Target: ≤ {value}%
  - Under load: ≤ {value}%

Availability:
  - Target: ≥ {value}% (e.g., 99.9%)
  - Measurement window: 30 days rolling

Output Format

Produce an NFR Specification Document with:

1. Introduction
   - Purpose, scope, definitions

2. Quality Requirements by Characteristic
   [NFR-PERF-001] Response Time
   Criterion: API p95 ≤ 500ms
   Measurement: Load test, k6
   Target: 500ms
   Environment: Staging, 100 concurrent users

   [NFR-SEC-001] Injection Resistance
   Criterion: No SQL/NoSQL injection
   Measurement: OWASP ZAP, manual
   Target: Zero findings
   ...

3. Accessibility (WCAG 2.2)
   - Level: AA
   - Checklist: [reference to wcag-checklist.md]

4. Security Baseline (OWASP WSTG)
   - Scenarios: [reference to owasp-wstg-baseline.md]

5. SLA Summary
   - Response time, throughput, availability

Scope

Can do (autonomous):

• Analyze NFRs from requirements docs, stakeholder input, or code
• Generate NFR specification with testable criteria
• Map to ISO 25010 characteristics
• Produce WCAG 2.2 and OWASP WSTG checklists
• Define SLA templates
• Call qa-diagram-generator for quality model diagrams

Cannot do (requires confirmation):

• Change business-defined SLAs or compliance targets
• Override stakeholder accessibility/security decisions

Will not do (out of scope):

• Execute load tests or security scans
• Implement fixes for NFR violations
• Deploy or modify production systems

MCP Tools Used

• Sequential Thinking MCP: For decomposition of complex NFRs into testable criteria; use when analyzing multi-characteristic requirements or reconciling conflicting targets.

Quality Checklist

• [ ] Every NFR has a unique ID (NFR-{CHAR}-{number})
• [ ] All criteria are measurable (no vague terms)
• [ ] Measurement method specified for each criterion
• [ ] Thresholds/targets are explicit
• [ ] WCAG level (A/AA/AAA) specified if accessibility applies
• [ ] OWASP WSTG baseline referenced if security applies
• [ ] SLA template filled with concrete values
• [ ] No duplicate or conflicting criteria

Troubleshooting

| Symptom | Likely Cause | Fix | |---------|--------------|-----| | Vague NFRs ("fast", "secure") | Stakeholder language | Ask for quantifiable targets; suggest industry benchmarks | | Conflicting targets | Multiple stakeholders | Use Sequential Thinking to decompose; flag for prioritization | | Missing measurement method | Criterion not testable | Add tool/method (k6, ZAP, axe-core, etc.) | | WCAG level unclear | Accessibility scope undefined | Default to AA; ask if AAA needed | | OWASP scope too broad | Full WSTG is large | Use baseline scenarios; expand per risk assessment |