Writing an SRS — From PRD to Contract-Grade Spec

A PRD is a product team's working doc. An SRS is a contract artifact. Banks, central banks, defense and large enterprises will not sign an SoW without one. Its job is to remove ambiguity — every requirement is testable, traceable, and uniquely numbered.

1. Introduction — purpose, scope, definitions, references.
2. Overall description — product perspective, user classes, operating environment, constraints, assumptions.
3. Functional requirements — numbered, each with a unique ID (FR-001…).
4. Non-functional requirements — performance, security, compliance, availability (NFR-001…).
5. External interfaces — UI, hardware, software, comms.
6. Data model — entities, relationships, retention.
7. Traceability matrix — every requirement maps to a test case.

Use "shall." Always. Use it once per requirement. One verb, one object, one condition.

FR-014: The system shall lock a user account after 5 consecutive failed
        login attempts within a 15-minute window.

FR-015: The system shall send an email notification to the account holder
        within 60 seconds of a lock event.

Bad: "The system should be secure and lock accounts when needed." (Untestable. No verb. No threshold.)

NFRs without numbers are wishes. Always include a metric and a measurement method.

NFR-007 (Performance): 95th percentile API response time for
         POST /transactions shall be <= 400ms under 500 RPS sustained
         load, measured with k6 in the staging environment.

NFR-012 (Availability): The platform shall maintain 99.95% monthly
         uptime, excluding scheduled maintenance windows announced 7
         days in advance.

Reference the regulation by section. "PSD2-compliant" is not a requirement; "Strong Customer Authentication per PSD2 RTS Article 4" is.

Always include: data residency, retention period, audit log scope, PII handling, and incident reporting timelines.

A spreadsheet. Columns: Requirement ID · Source (stakeholder/regulator) · Design doc reference · Test case ID · Status. If a row doesn't have a test case, the requirement isn't done.

Every SRS has a revision history table on page 2 and a sign-off page at the end. Sign-off is per-section, not just the whole doc — it lets you ship in slices.