4. Non-Functional Requirements

Non-Functional Requirements

NFR-001: Performance Targets

Priority: HIGH
Owner: Technical Architect

Performance Metrics

Load Testing Scenarios

Scenario 1: Steady State (Normal Month)

• Duration: 24 hours
• Load: 333K invoices evenly distributed
• Concurrent batches: 5-10
• Expected: All targets met, no errors

Scenario 2: Peak Load (Heating Season)

• Duration: 8 hours
• Load: 314K invoices (first week concentration)
• Concurrent batches: 20+
• Expected: 2-hour SLA met, >99% success

Scenario 3: Spike Test

• Duration: 30 minutes
• Load: 10 batches (50K invoices) uploaded simultaneously
• Expected: Auto-scales, processes without degradation

Acceptance Criteria

NFR-002: Scalability & Auto-Scaling

Priority: HIGH
Owner: Technical Architect

Scaling Configuration

Peak Load Capacity

Normal Load (non-heating, mid-month):

• 333K invoices/day average
• 5-10 concurrent batches
• Worker instances: 10-20 total

Peak Load (heating season, first/last week):

• 2.2M invoices/week
• 314K invoices/day
• 20+ concurrent batches
• Worker instances: 80-100 total

Pre-Warming Strategy (Heating Season)

Monthly Schedule:
- Day 1-7: Pre-warm to 50 instances at 00:00
- Day 8-23: Scale based on queue (2-20 instances)
- Day 24-31: Pre-warm to 50 instances at 00:00

Heating Season (Oct-Mar): Double levels
- Day 1-7: Pre-warm to 80 instances
- Day 24-31: Pre-warm to 80 instances

NFR-003: Availability & Reliability

Priority: HIGH
Owner: Technical Architect

Availability Targets

Multi-Region Deployment

Primary Region: West Europe (Sweden, Denmark)
Secondary Region: North Europe (Norway, Finland)

Traffic Routing:

• Azure Traffic Manager (Performance routing)
• Health check: /health every 30 seconds
• Auto-failover: 3 consecutive failures
• Failover time: <2 minutes

NFR-004: Security Requirements

Priority: CRITICAL
Owner: Technical Architect

Authentication & Authorization

OAuth 2.0:

• Grant Type: Client Credentials
• Token Provider: Microsoft Entra ID
• Token Lifetime: 1 hour
• Algorithm: RS256

Roles:

1. Super Admin (global)
2. Organization Admin (single org)
3. Template Admin (single org)
4. Batch Operator (single org)
5. Read-Only User (single org)
6. API Client (single org)

Encryption

In Transit:

• TLS 1.3 minimum
• HSTS enabled

At Rest:

• Blob Storage: AES-256
• PostgreSQL: AES-256
• Backups: AES-256

NFR-005: Data Retention

Priority: HIGH
Owner: Legal/Compliance

Approval Section

Stakeholder Sign-Off

Approval Criteria

•  All CRITICAL requirements reviewed and accepted
•  All HIGH requirements reviewed and accepted
•  All dependencies identified and acknowledged
•  All risks reviewed with mitigation strategies
•  All acceptance criteria defined and measurable
•  Budget and timeline implications understood
•  Resource allocation confirmed
•  Compliance requirements validated (GDPR, Bokföringslagen)

Change Control

Any changes to approved CRITICAL or HIGH priority requirements must follow the change control process:

1. Document proposed change in Jira (tag with egflow version)
2. Impact assessment (scope, timeline, cost)
3. Re-approval by Product Owner and Technical Architect
4. Update this document with version increment
5. Communicate changes to development team
6. Update affected Jira issues with new fixVersion

Version History