Skip to main content

Overview

The /arckit.requirements command creates comprehensive business and technical requirements that drive vendor RFPs, architecture design, and testing strategies.

When to Use

  • Phase: Phase 5 - Define Requirements
  • Timing: AFTER SOBC approval (if business case needed)
  • Purpose: Create detailed requirements informed by stakeholder goals

Command Usage

/arckit.requirements <project ID or feature>

Examples

# Create requirements for existing project
/arckit.requirements 001

# Focus on specific feature
/arckit.requirements authentication module

# New project
/arckit.requirements Build a payment processing system

Requirement Categories

Business Requirements (BR-xxx)

Purpose: Define business objectives and success criteria
  • Business objectives and measurable success criteria
  • ROI and cost savings expectations
  • Timeline and milestones
  • Stakeholder needs
Example: 
**BR-001**: Cost Reduction
**Statement**: The system MUST reduce invoice processing operational costs by 40% within 12 months of go-live.
**Rationale**: Addresses CFO Goal G-1 (from ARC-001-STKE-v1.0.md)
**Acceptance Criteria**:
- FTE count reduced from 20 to 13 by Month 12
- Processing cost per invoice reduced from £15 to £9
- Annual savings of £700K achieved by Year 2
**Priority**: MUST
**Stakeholder**: CFO (Primary), Finance Director (Secondary)

Functional Requirements (FR-xxx)

Purpose: Define what the system must DO
  • User personas and their needs
  • User stories and use cases
  • Features and capabilities
  • User workflows
Example: 
**FR-012**: Invoice Approval Workflow
**Statement**: As a Finance Manager, I MUST be able to approve invoices via mobile app so that I can approve invoices while traveling.
**Acceptance Criteria**:
- Mobile app available on iOS 14+ and Android 11+
- Push notification when invoice awaiting approval
- Approve/reject with mandatory comment
- Digital signature capture for audit trail
- Offline mode with sync when connected
**Priority**: MUST
**User Persona**: Finance Manager (Sarah, 45, travels 40% of time)
**User Journey**: Invoice Approval Flow (see FR-012-journey.png)

Non-Functional Requirements (NFR-xxx)

Purpose: Define HOW WELL the system must perform

Performance (NFR-P-xxx)

**NFR-P-001**: API Response Time
**Statement**: Payment API MUST respond within 2 seconds for 95th percentile under normal load.
**Rationale**: Aligns with Security by Design principle (SEC-001)
**Test Method**: Load testing with JMeter, 1000 concurrent users
**Priority**: MUST

Security (NFR-SEC-xxx)

**NFR-SEC-003**: Data Encryption
**Statement**: All payment card data MUST be encrypted at rest using AES-256 and in transit using TLS 1.3.
**Rationale**: PCI-DSS 4.0 Requirement 3.5, aligns with Encryption principle (SEC-005)
**Test Method**: Penetration testing, code review
**Priority**: MUST

Scalability (NFR-S-xxx)

**NFR-S-001**: Horizontal Scaling
**Statement**: The system MUST support horizontal scaling to handle 300% traffic increase during Black Friday.
**Rationale**: Aligns with Scalability principle (ARCH-001)
**Test Method**: Load testing, auto-scaling validation
**Priority**: MUST

Availability (NFR-A-xxx)

**NFR-A-001**: Uptime SLA
**Statement**: The system MUST maintain 99.95% uptime (< 4.38 hours downtime/year).
**Rationale**: Addresses Operations Director Outcome O-3 (from ARC-001-STKE-v1.0.md)
**Test Method**: Monitoring dashboards, incident logs
**Priority**: MUST

Compliance (NFR-C-xxx)

**NFR-C-002**: GDPR Right to Erasure
**Statement**: The system MUST delete all personal data within 30 days of data subject request.
**Rationale**: GDPR Article 17, DPA 2018 compliance
**Test Method**: DPIA validation, data lineage audit
**Priority**: MUST

Integration Requirements (INT-xxx)

Purpose: Define system-to-system interactions 
**INT-003**: CRM System Integration
**Upstream System**: Salesforce CRM
**Data Exchange**: Customer profile, payment history
**Protocol**: REST API with OAuth 2.0
**Frequency**: Real-time (< 5 second latency)
**Data Format**: JSON payload, OpenAPI 3.0 specification
**Error Handling**: Retry 3 times with exponential backoff, dead letter queue for failures
**SLA**: 99.9% availability, < 500ms response time (p95)
**Priority**: MUST

Data Requirements (DR-xxx)

Purpose: Define data models, retention, and privacy 
**DR-005**: Transaction Data Retention
**Data Entity**: Payment Transaction (E-002 from data model)
**Retention Period**: 7 years (financial records regulation)
**Archival Strategy**: Move to cold storage after 2 years
**PII Classification**: Contains PII (cardholder name, email)
**GDPR Lawful Basis**: Contract (Article 6(1)(b))
**Encryption**: AES-256 at rest, TLS 1.3 in transit
**Access Control**: Finance team (read), Payment API (write), Audit (read-only)
**Priority**: MUST

Requirement Structure

Each requirement MUST have:
  1. Unique ID: BR-001, FR-001, NFR-P-001, INT-001, DR-001
  2. Clear Statement: Using MUST/SHOULD/MAY (RFC 2119)
  3. Acceptance Criteria: Objective, testable conditions
  4. Priority: MUST | SHOULD | MAY
  5. Rationale: WHY this requirement exists
  6. Traceability: Link to stakeholder goals, architecture principles, risks

Alignment with Stakeholder Goals

Requirements must trace back to stakeholder analysis: 
Stakeholder: CFO (from ARC-{PROJECT_ID}-STKE-v*.md)
  → Goal G-1: Reduce infrastructure costs 40% by end of Year 1
    → BR-001: System MUST reduce operational costs by 40%
      → NFR-P-001: API response time < 2s (enables automation → cost reduction)
        → Success: CFO Outcome O-1 measured monthly

Requirement Conflicts & Resolutions

IMPORTANT: Requirements often conflict due to competing stakeholder drivers.

Identify Conflicts

Review stakeholder analysis conflict analysis section:
Conflict TypeExample
Speed vs QualityCFO wants fast delivery vs Operations wants thorough testing
Cost vs FeaturesFinance wants minimal spend vs Product wants rich features
Security vs UsabilitySecurity wants MFA vs Users want seamless experience
Flexibility vs StandardizationBusiness wants customization vs IT wants standards

Document Resolution

For each conflict: Example: 
### Conflict: Security vs Usability

**Conflicting Requirements**:
- NFR-SEC-002: CISO requires MFA for all users (MUST)
- FR-008: Product Owner wants passwordless login (MUST)

**Stakeholders Involved**:
- CISO (HIGH power, HIGH interest) wants maximum security
- Product Owner (MEDIUM power, HIGH interest) wants user satisfaction

**Trade-off Analysis**:
- **Option A**: MFA for all → Security satisfied, users frustrated (NPS drops)
- **Option B**: Passwordless for all → Users happy, CISO blocks go-live
- **Option C** (Chosen): Risk-based authentication

**Resolution Strategy**: COMPROMISE
- Admin users: MFA mandatory (satisfies CISO)
- Regular users: Passwordless with biometrics (satisfies Product)
- High-risk actions: Step-up MFA (e.g., large payments)

**Decision Authority**: CTO (RACI: Accountable)
**Approval Date**: 2025-10-29
**Updated Requirements**:
- NFR-SEC-002a: Admin users MUST use MFA
- FR-008a: Regular users MAY use passwordless login
- NFR-SEC-002b: High-risk actions MUST trigger step-up MFA

Resolution Strategies

  • Prioritize: Choose one stakeholder over another (reference power/importance)
  • Compromise: Find middle ground (risk-based authentication)
  • Phase: Satisfy both at different times (MVP = speed, Phase 2 = quality)
  • Innovate: Creative solution (automated testing for speed AND quality)

Traceability

Every requirement traces to:
  • Stakeholder Goal: Which goal does this address?
  • Architecture Principle: Which principle does this align with?
  • Risk: Does this mitigate a risk from the risk register?
Example Traceability Matrix:
RequirementStakeholder GoalArchitecture PrincipleRisk Mitigated
BR-001CFO Goal G-1Cost Efficiency (FIN-001)R-003 (Budget overrun)
NFR-SEC-003CISO Goal G-5Security by Design (SEC-001)R-009 (Data breach)
NFR-A-001Ops Goal G-3Resilience (ARCH-003)R-007 (Service outage)

Output File

Creates: projects/{project}/ARC-{PROJECT_ID}-REQ-v1.0.md Contains:
  • Executive Summary (total counts, compliance summary)
  • Business Requirements (BR-xxx)
  • Functional Requirements (FR-xxx) organized by user journey
  • Non-Functional Requirements (NFR-xxx) by category
  • Data Requirements (DR-xxx)
  • Integration Requirements (INT-xxx)
  • Requirement Conflicts & Resolutions (if any)
  • Acceptance Criteria for each requirement
  • Requirements Traceability Matrix

Version Detection

The command automatically detects existing versions:
  • v1.0: First version (no previous file exists)
  • v1.1: Minor update (refreshed content, updated details, corrections)
  • v2.0: Major update (new requirement categories, significant new requirements)

Prerequisites

MANDATORY (command will warn if missing):
  • STKE (Stakeholder Analysis) - Requirements must align with stakeholder goals
RECOMMENDED (read if available):
  • PRIN (Architecture Principles) - NFRs must align with principles
  • RISK (Risk Register) - Risk-driven requirements
  • SOBC (Business Case) - Benefits → Requirements alignment

Industry-Specific Requirements

Financial Services

  • Transaction integrity (ACID compliance)
  • Audit trails (SOX, PCI-DSS)
  • Disaster recovery (RTO/RPO)
  • Data encryption and tokenization

Healthcare

  • HIPAA compliance
  • PHI data handling
  • Patient consent management
  • Clinical safety

Retail

  • Payment processing (PCI-DSS)
  • Inventory integration
  • Customer data protection (GDPR)
  • Peak load handling (Black Friday)

Government

  • Accessibility (WCAG 2.2 AA)
  • Public records (FOI compliance)
  • Security clearances
  • Open standards

Quality Checks

Before delivery, verifies:
  • All requirements are SMART (Specific, Measurable, Achievable, Relevant, Time-bound)
  • Every MUST requirement has objective acceptance criteria
  • All high-priority stakeholder drivers have MUST requirements
  • NFRs align with architecture principles
  • Compliance requirements clearly flagged
  • Conflicts documented with resolutions
  • Traceability matrix complete
  • No ”< 3 seconds” (markdown escape: use ”< 3 seconds” with space)

Next Steps

After creating requirements:
  1. Review with stakeholders to validate
  2. If DR-xxx exist: Run /arckit.data-model to create comprehensive data model
  3. If no DR-xxx: Run /arckit.research to research technology options
  4. Use requirements for vendor RFP (via /arckit.sow)
  5. Use requirements for HLD validation (via /arckit.hld-review)

Data Modeling

Create data model from DR-xxx requirements

Research

Research technology options to meet requirements

DPIA

Assess data protection impact from requirements

Traceability

Map requirements to design and tests

Example Outputs

Build docs developers (and LLMs) love

Get started for freeTalk to us