Quality Attributes and Non-Functional Requirements

Every system has quality attributes: how fast it responds, how often it is available, how easy it is to change, how well it resists attack. The difference between systems that work well under pressure and systems that collapse is whether these attributes were made explicit, specified precisely, and used to drive architectural decisions before a line of code was written.

A quality attribute, also called a non-functional requirement (NFR) or quality of service requirement, describes how well a system performs a function rather than what function it performs. Quality attributes constrain the design space and determine which architectural approaches are even possible.

The distinction between functional requirements and quality attributes is precise. "The user can log in" is a functional requirement: it tells you what to build. "Login should succeed in under 200ms for 99% of requests" is a quality attribute: it tells you how well the login feature must work. A system can satisfy every functional requirement and still fail to meet any of its quality attributes. Knight Capital on 1 August 2012 is the proof.

Further examples: "The system sends email notifications" is functional. "Notifications should be delivered within 30 seconds of the triggering event under peak load" is a quality attribute. "Users can search the product catalogue" is functional. "Search should return results in under 500ms at the 95th percentile for catalogues up to 10 million items" is a quality attribute.

ISO/IEC 25010:2023, the international standard for software quality, defines eight top-level quality characteristics. Understanding this taxonomy prevents teams from treating quality as a single undifferentiated concern. Each characteristic has distinct sub-characteristics and distinct architectural implications.

Functional suitability: does the system do what it should? Sub-characteristics: completeness, correctness, appropriateness. Knight Capital satisfied this characteristic. Functional correctness alone was not enough.

Performance efficiency: how fast and resource-efficient is it? Sub-characteristics: time behaviour (response time, throughput), resource utilisation, capacity. A p99 of 2,340ms is a measurable violation of this characteristic.

Compatibility: does it work with other systems? Sub-characteristics: co-existence, interoperability. Often the least specified in enterprise projects despite being frequently the source of integration failures.

Usability: can users accomplish their goals? Sub-characteristics: learnability, operability, user error protection. Frequently conflated with functional requirements but distinct: a feature can work correctly and still be unusable.

Reliability: does it work without failure? Sub-characteristics: availability, fault tolerance, recoverability. The Knight Capital circuit breaker failure is a reliability failure under the fault tolerance sub-characteristic.

Security: does it protect against threats? Sub-characteristics: confidentiality, integrity, non-repudiation, authenticity. Zero-trust architecture is a direct response to the security characteristic.

Maintainability: can it be changed efficiently? Sub-characteristics: modularity, reusability, analysability, testability. Code with no component boundaries has near-zero analysability.

Portability: can it run in other environments? Sub-characteristics: adaptability, installability, replaceability. Container-based deployment is a direct architectural response to this characteristic.

Vague quality attributes cannot drive architectural decisions. "The system should be fast" could mean 10ms or 10 seconds. "The system should be available" could mean 99% uptime (87 hours of downtime per year) or 99.999% (5 minutes per year). These differences have entirely different architectural implications.

The Software Engineering Institute (SEI) at Carnegie Mellon University provides a scenario template that forces specificity. A quality attribute scenario has six elements: source, stimulus, environment, artefact, response, and response measure. All six must be specified for a scenario to be useful.

Source: who or what generates the stimulus? A user, an external system, an attacker, a monitoring service.

Stimulus: the specific event that occurs. A search query, a login attempt, a database failure, a configuration change.

Environment: the system state at the time. Normal load, peak load, post-failure mode, during a deployment.

Artefact: the specific component or system affected. The search service, the authentication module, the entire system.

Response: what the system does in response to the stimulus. Returns results, rejects the request, fails over to a replica.

Response measure: how you know the response was adequate. In under 400ms, at the 95th percentile; with no customer-visible data loss; within 30 seconds.

A complete performance scenario: "When 500 customers simultaneously request account balances during normal business hours, the balance API returns correct data in under 150ms at the 99th percentile."

An availability scenario: "When any single database instance fails during business hours, the system continues serving customer read requests within 30 seconds, with no customer-visible data loss."

A security scenario: "When an unauthenticated request is made to any customer account endpoint, the system rejects the request with HTTP 401 and logs the attempt, within one network round-trip."

A Knight Capital-style safety scenario that was not written: "When any trading service accumulates a loss exceeding 1% of daily capital in any 60-second window, all order submission is halted within 5 seconds and an incident is raised automatically."

Quality attributes are not free and they conflict. Improving one attribute often makes another worse. Architecture is, in large part, the practice of making these trade-offs deliberately and recording the reasoning so that future decisions do not inadvertently reverse them.

The Architecture Trade-off Analysis Method (ATAM), developed at the SEI at Carnegie Mellon University, is a structured evaluation process for assessing how architectural decisions affect competing quality attributes. ATAM was designed to be run before finalising an architecture, not after. It identifies sensitivity points (decisions that strongly affect a single quality attribute), trade-off points (decisions that affect two or more quality attributes in conflicting ways), and risks (architectural decisions that may not support a quality attribute requirement under certain conditions).

The most common trade-offs in practice: strong consistency versus high availability (the CAP theorem, published by Eric Brewer in 2000, shows that a distributed system cannot have both during a network partition); performance versus security (every authentication check and input validation step adds latency); simplicity versus scalability (a single server is simple to operate but cannot scale horizontally); time to market versus maintainability (a shortcut today is a structural cost tomorrow, and architectural debt is the highest-interest form).

Adding a caching layer improves performance (cache hits reduce latency from 100ms to 5ms) but hurts consistency (cached data may be stale), increases operational complexity (another component to monitor and configure), and raises infrastructure costs. These trade-offs are not good or bad in the abstract. They are appropriate or inappropriate for the specific use case. The job of the architect is to make the trade-off explicitly, based on measured quality attribute requirements.

Use this workshop to explore the trade-off landscape for a hypothetical system. Raise sliders to express the priority of each quality attribute. The tool detects known tensions (combinations that create architectural conflicts) and synergies (combinations that reinforce each other). This mirrors the ATAM sensitivity and trade-off point analysis.

A quality attribute utility tree is a structured way to prioritise quality attributes by business impact. Developed as part of the ATAM methodology, it forces stakeholders to move from vague aspirations to specific scenarios ranked by importance and difficulty.

The tree has three levels. The root is "utility": the overall quality of the system. The first level of branches are the quality attributes that matter for this system (performance, availability, security, maintainability). The second level are the specific scenarios for each attribute, derived from real business requirements. Each scenario is rated on two dimensions: its importance to the business (high, medium, low) and its expected difficulty to achieve architecturally (high, medium, low). High-importance, high-difficulty scenarios are the architectural risks that ATAM was designed to surface.

For Knight Capital, a proper utility tree analysis would have placed "trading halt on runaway loss" as a high-importance, high-difficulty scenario under the safety quality attribute. That placement would have made it a first-class architectural concern that required a concrete design response, not a missing feature.