The CDS Non-Functional Requirements, or NFRs, are requirements related not to what an application does, but to how it does it. CDS NFRs are largely performance metrics. NFRs are determined by what is necessary to regulate and manage the CDR environment. They evolve like other aspects of the standards.
Quantitative NFRs currently apply only to Data Holders (DHs). There are various administration APIs so Data Holders can report their actual performance against the NFRs. An NFR can be observed only when the ecosystem is operational.
For example, something like the availability NFR (which relates to the "up-time" of a particular endpoint) cannot be assessed unless the participants are reporting downtime.
Quantitative NFRs apply to the Data Holders because it is they who are providing the CDR service that can be measured. NFRs include metrics such as transaction thresholds and response times.
Quantitative DH NFRs may affect an Accredited Data Recipient (ADR). For instance, there is a distinction between attended and unattended traffic:
- attended traffic: the ADR makes an API call when the customer is actively using their app, and is expecting a response
- unattended traffic: the customers is not logged on but the service is obtaining data on their behalf. For example, an overnight transaction gets the latest transactions for a particular customer.
Data Holders have different obligations depending on whether traffic is attended or unattended. In an interactive, attended scenario, they have to respond faster, more frequently and at a higher threshold than in an unattended context.
ADRs should manage their unattended calls and keep them from overstressing Data Holder applications. If ADR requests exceed certain thresholds, defined in NFRs, the DH is entitled to decline the ADR requests. In this sense the NFRs may provide relief to DHs from excessive ADR requests.
There are NFRs applicable only to the Accredited Data Recipient. These are qualitative statements indicating the expected standard of behaviour and style of CDR implementation. For example, an Accredited Data Recipient that is overly "chatty", and calls a DH endpoint too often, is likely to be in breach of some qualitative NFRs. In the worst case this could be interpreted by Data Holders as a Denial of Services attack. An ADR breaching these NFRs may be required to discuss it with the CDR regulator.
Comments
0 comments
Please sign in to leave a comment.