ID	S63
Version	2.1.8
Type	Overarching Standards
Status	Effective
Effective Date	Nov 28, 2025
Contracting Vehicle(s)	GP IT Futures Tech Innovation DFOCVC Community Pharmacy Clinical Services

1 Introduction
- 1.1 Non-Functional Questions Model
2 Baseline Assurance Standard Requirements
3 Further Requirements
- 3.1 Validation and Testing
4 Roadmap

Introduction

Non-functional requirements describe how the Solution works, not what the Solution should do, and serve as constraints or restrictions on the design of the Solution. The following non-functional questions are to enable The Authority to assess the risk associated with the Compliance Assessment of the Solution against the overarching Service Management, Information Governance, Security, Testing, and Business Continuity and Disaster Recovery (BCDR) Standards. Supplier’s answers will also demonstrate they understand the non-functional landscape of the market they are selling into.

Non-Functional Questions Model

The Non-Functional Questions (NFQs) model illustrated within Figure A attempts to show the relationships between the Supplier’s Solution and the non-functional requirements (NFRs) required to meet the Overarching Standards, provide appropriate levels of service and, where relevant, satisfy the required service SLAs.

Suppliers are responsible for ensuring the non-functional elements of their Solutions are capable of meeting any defined service levels for specific Capabilities provided, as well as any other NFRs specified by The Authority across other Standards.

Suppliers must provide an appropriate answer to the Non-Functional Questions - the level of information and evidence required in the answer will depend on the Capabilities and scale of deployment of the Supplier’s Solution and this will be determined and specified in the guidance provided as part of the Capability Mapping and Standards Compliance Onboarding process.

Figure A - Non-Functional Questions Model

Baseline Assurance Standard Requirements

The Baseline Assurance Standard (BAS) provides a proportionate, risk-based assurance approach for Solutions; balancing safety against efficiency by combining a minimum set of essential Requirements from the DSIC Overarching Standards. Completing the BAS is the first step to achieving full assurance with the Overarching Standards allowing Supplier Solutions to be published on the Buying Catalogue. Upon meeting this Standard, Solutions are required to meet any remaining Further Requirements in the Overarching Standard as applicable to the Contracting Vehicle within a period of 12 months.

All Baseline Assurance Requirements can be found here. Each Solution will be assigned a category of A, B or C that determines the level of assurance applied to that Solution. See the relevant category column to understand the assurance required for each Requirement. For information on Solution Categories see Solution Categories for Assurance in DSIC.

The following table of Requirements are the Requirements in the Baseline Assurance Standard related to Non-Functional Questions.

Applicable Contracting Vehicle(s)

ID

Requirement

Category A

Category B

Category C

Resilience

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-RS-5

Component Failure Impact Analysis

Describe what CFIA documentation has been produced?

Full Assessment

Supporting evidence to include:

CFIA documentation which takes consideration of infrastructure/architectural/hardware/software design and assessing behaviour to demonstrate what/if scenarios have been considered (and the analysis documented) if individual components or services were to fail.
Live Witness Assessment.

Self-certification with Supporting Evidence

Supporting evidence to include:

CFIA documentation which takes consideration of infrastructure/architectural/hardware/software design and assessing behaviour to demonstrate what/if scenarios have been considered (and the analysis documented) if individual components or services were to fail.

Self-certification with Supporting Evidence

Supporting evidence to include:

CFIA documentation which takes consideration of infrastructure/architectural/hardware/software design and assessing behaviour to demonstrate what/if scenarios have been considered (and the analysis documented) if individual components or services were to fail.

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-RS-3

Software Design

Describe what level of resilience is provided in the software design?

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation detailing the level of resilience provided in your software design, including how the system maintains data integrity, handles component failures, recovers from crashes, degrades gracefully under partial failure, and remains performant under peak load.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation detailing the level of resilience provided in your software design, including how the system maintains data integrity, handles component failures, recovers from crashes, degrades gracefully under partial failure, and remains performant under peak load.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation detailing the level of resilience provided in your software design, including how the system maintains data integrity, handles component failures, recovers from crashes, degrades gracefully under partial failure, and remains performant under peak load.

Service Management

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-SM-3

Monitoring

Describe what are the key resources, services and performance indicators that can be monitored?

Full Assessment

Supporting evidence to include:

Documentation detailing the key resources, services and performance indicators that can be monitored along with the rationale and any impact considerations. Provide screenshots where applicable.
Live Witness Assessment.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation detailing the key resources, services and performance indicators that can be monitored along with the rationale and any impact considerations. Provide screenshots where applicable.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation detailing the key resources, services and performance indicators that can be monitored along with the rationale and any impact considerations. Provide screenshots where applicable.

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-SM-4

Alerting

Who is alerted if a resource or service is not meeting the agreed service levels?

Full Assessment

Supporting evidence to include:

Documentation describing monitoring reports and templates.
Live Witness Assessment.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation describing monitoring reports and templates.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation describing monitoring reports and templates.

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-SM-7

Event logging

What events are logged?

Full Assessment

Supporting evidence to include:

Server logs or equivalent showing all events that are logged.
Live Witness Assessment.

Self-certification with Supporting Evidence

Supporting evidence to include:

Server logs or equivalent showing all events that are logged.

Self-certification with Supporting Evidence

Supporting evidence to include:

Server logs or equivalent showing all events that are logged.

Capacity Management

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-CM-3

Capacity Management toolset

What Capacity Management toolset is implemented and what is the scope of information capture available.

Full Assessment

Supporting evidence to include:

Documentation detailing the capacity management toolset and scope of information capture.
Live Witness Assessment.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation detailing the capacity management toolset and scope of information capture.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation detailing the capacity management toolset and scope of information capture.

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-CM-4

Capacity Management

Describe how the capacity of the Solution is managed and the associated reports that are produced, include management and solution process models.

Full Assessment

Supporting evidence to include:

Planning/actions and toolsets used to ensure that the infrastructure has adequate resources to support and maintain SLA targets.
Live Witness Assessment.

Additional supporting evidence could include:

Report examples of specific metrics used with forecasts.

Self-certification with Supporting Evidence

Supporting evidence to include:

Planning/actions and toolsets used to ensure that the infrastructure has adequate resources to support and maintain SLA targets.

Additional supporting evidence could include:

Report examples of specific metrics used with forecasts.

Self-certification with Supporting Evidence

Supporting evidence to include:

Planning/actions and toolsets used to ensure that the infrastructure has adequate resources to support and maintain SLA targets.

Additional supporting evidence could include:

Report examples of specific metrics used with forecasts.

Integrity

GP IT Futures
Tech Innovation
DFOCVC
Community Pharmacy Clinical Services

GP-NFQ-I-1

Message Accuracy and Transfer

Describe how message accuracy and transfer is achieved and maintained (e.g. how is the data guaranteed not to be corrupt).

Full Assessment

Supporting evidence to include:

Documentation/diagrams detailing how message accuracy and transfer is achieved and maintained.
Live Witness Assessment.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation/diagrams detailing how message accuracy and transfer is achieved and maintained.

Self-certification with Supporting Evidence

Supporting evidence to include:

Documentation/diagrams detailing how message accuracy and transfer is achieved and maintained.

Further Requirements

Suppliers must complete assurance for these Requirements in addition to Requirements in the Baseline Assurance Standard in order to achieve full compliance with the Non-Functional Questions Standard. Suppliers can complete these at the same time as Requirements within the Baseline Assurance Standard or following the publication on the Buying Catalogue subject to meeting the timelines laid out by the Authority.

Applicable Contracting Vehicle(s)	ID	Requirement	Category A	Category B	Category C

Applicable Contracting Vehicle(s)

ID

Requirement

Category A

Category B

Category C

Usability

GP IT Futures
Tech Innovation
DFOCVC

GP-NFQ-U-3

Supported browser versions

Which browsers are supported and what are the minimum and recommended versions?

How do you approach the deprecation and uplift of browser versions?

Self-certification with Supporting Evidence

Supporting evidence to include:

For deprecation/upgrade, details of how the End User is made aware: state all methods of communication along with what is included.

Self-certification with Supporting Evidence

Supporting evidence to include:

For deprecation/upgrade, details of how the End User is made aware: state all methods of communication along with what is included.

Self-certification with Supporting Evidence

Supporting evidence to include:

For deprecation/upgrade, details of how the End User is made aware: state all methods of communication along with what is included.

GP IT Futures
Tech Innovation
DFOCVC

GP-NFQ-U-6

UI Standards

What user interface standards does the Solution meet? Are you following ISO 9241-210:2019 - the ‘six principles for human centred design'?

Full Assessment

Supporting evidence to include:

Valid ISO 9241-210:2019 certificate.
Documented evidence that the six principles for human centred design were followed, see also: How a 20 year old standard is still relevant today.

Self-certification with Supporting Evidence

Supporting evidence to include:

If ISO 9241-210:2019 was followed, provide documented evidence that the six principles for human centred design were followed, see also: How a 20 year old standard is still relevant today.

Self-certification with Supporting Evidence

Supporting evidence to include:

If ISO 9241-210:2019 was followed, provide documented evidence that the six principles for human centred design were followed, see also: How a 20 year old standard is still relevant today.

DFOCVC

GP-NFQ-U-7

Supported devices

What devices are supported by the Solution that can be used and accessed by End Users?

Self-certification with Supporting Evidence

Supporting evidence to include:

How these facilitate secure access inline with the Authority’s authentication and authorisation policies.

Self-certification with Supporting Evidence

Supporting evidence to include:

How these facilitate secure access inline with the Authority’s authentication and authorisation policies.

Self-certification with Supporting Evidence

Supporting evidence to include:

How these facilitate secure access inline with the Authority’s authentication and authorisation policies.

DFOCVC

GP-NFQ-U-8

Client Access Mechanism (Accessibility)

Describe how the Solution is accessed by/available to the End User?

Self-certification with Supporting Evidence

Supporting evidence to include:

How to access the Solution in the event of unexpected connection issues or other interruptions.
How availability of the event is managed by the Solution e.g. details for offline working.
For data or file sharing and uploading, provide information on the file formats supported by the Solution, such as PDF, JPEG etc.

Self-certification with Supporting Evidence

Supporting evidence to include:

How to access the Solution in the event of unexpected connection issues or other interruptions.
How availability of the event is managed by the Solution e.g. details for offline working.
For data or file sharing and uploading, provide information on the file formats supported by the Solution, such as PDF, JPEG etc.

Self-certification with Supporting Evidence

Supporting evidence to include:

How to access the Solution in the event of unexpected connection issues or other interruptions.
How availability of the event is managed by the Solution e.g. details for offline working.
For data or file sharing and uploading, provide information on the file formats supported by the Solution, such as PDF, JPEG etc.

Performance and Scalability

GP IT Futures
Tech Innovation
DFOCVC

GP-NFQ-PS-3

Number of concurrent sessions

What is the peak number of concurrent user sessions the Solution can support?

Self-certification with Supporting Evidence

Supporting evidence to include:

Load test documentation such as a performance test report showing the number of concurrent sessions achieved under peak load during the test(s), including any considerations which may impact this value.

Self-certification

GP IT Futures
Tech Innovation
DFOCVC

GP-NFQ-PS-5

Response times

What are the expected response times in a given percentage of cases for a given operation e.g. Login or Open Patient Record?

Provide different types of operation including command and query operations.

Self-certification with Supporting Evidence

Supporting evidence to include:

Performance test report or an equivalent document which shows how the figure is derived.
Any considerations which may impact this value.

Additional supporting evidence could include:

Performance test report showing the load test response time values (preferably 90 percentile, Min, Max and Average) for the business critical transactions/workflows included in the test.
Explanation of how the load test results meet the SLAs.

Self-certification with Supporting Evidence

Supporting evidence to include:

Performance test report or an equivalent document which shows how the figure is derived.
Any considerations which may impact this value.

Additional supporting evidence could include:

Performance test report showing the load test response time values (preferably 90 percentile, Min, Max and Average) for the business critical transactions/workflows included in the test.
Explanation of how the load test results meet the SLAs.

Self-certification with Supporting Evidence

Supporting evidence to include:

Performance test report or an equivalent document which shows how the figure is derived.
Any considerations which may impact this value.

Additional supporting evidence could include:

Performance test report showing the load test response time values (preferably 90 percentile, Min, Max and Average) for the business critical transactions/workflows included in the test.
Explanation of how the load test results meet the SLAs.

GP IT Futures
Tech Innovation
DFOCVC

GP-NFQ-PS-6

Transactions per second

How many user transactions per second (TPS) are supported?

Define what a user transaction consists of and how it is measured.

Self-certification with Supporting Evidence

Supporting evidence to include:

Any considerations which may impact the transactions per second. One example could be the TPS achieved for the Solution during the load test; this should include the volumetric workload mix identified and show the TPS achieved during the test for each process e.g. Log in, search, update etc.

Additional supporting evidence could include:

Performance test report document.

Self-certification with Supporting Evidence

Supporting evidence to include:

Any considerations which may impact the transactions per second. One example could be the TPS achieved for the Solution during the load test; this should include the volumetric workload mix identified and show the TPS achieved during the test for each process e.g. Log in, search, update etc.

Additional supporting evidence could include:

Performance test report document.