Testing, Validation & Quality Assurance
Project: A Test Plan from an SRS
Project: A Test Plan from an SRS
Throughout this tutorial you have studied verification and validation, test levels, requirements-based test cases, design techniques, UAT, the Requirements Traceability Matrix, defect management, non-functional testing, and quality gates. This final lesson brings those skills together in a single, realistic exercise: deriving a complete test plan and representative test cases directly from a sample Software Requirements Specification (SRS).
The scenario is a Clinic Patient Portal — an online system that lets patients book appointments, view medical records, and receive automated reminders. The SRS excerpt below is deliberately representative of real project documentation: some requirements are crisp and testable, others need a moment of analyst thought before test conditions emerge. You will walk through the full analyst workflow from SRS to test plan.
Step 1 — Read the SRS Extract
The following extract is drawn from a fictional but realistic SRS for the Clinic Patient Portal (CPP). Study it before reading further — your test plan derives exclusively from these statements.
SOFTWARE REQUIREMENTS SPECIFICATION
Project: Clinic Patient Portal (CPP) v1.0
Prepared by: Systems Analysis Team
--- FUNCTIONAL REQUIREMENTS ---
REQ-F01: A visitor shall be able to register an account using a valid
email address and a password of at least 8 characters containing
at least one uppercase letter and one digit.
REQ-F02: A registered patient shall be able to log in with their email
and password. After 5 consecutive failed login attempts the
account shall be locked for 30 minutes.
REQ-F03: A patient shall be able to search for available appointment
slots by doctor name, specialty, and date range.
REQ-F04: A patient shall be able to book an available appointment slot.
The system shall send a confirmation email within 60 seconds
and decrement the slot availability by 1.
REQ-F05: A patient shall be able to cancel a booked appointment up to
2 hours before the scheduled time. Slots cancelled within this
window shall be marked "unavailable" with a reason code.
REQ-F06: The system shall display the patient\'s last 12 months of
appointment history on their profile page.
--- NON-FUNCTIONAL REQUIREMENTS ---
REQ-NF01 (Performance): The appointment search results page shall return
results in under 3 seconds for 95% of requests under a load of
200 concurrent users.
REQ-NF02 (Security): All patient data shall be transmitted over TLS 1.2
or higher. Passwords shall be stored as salted hashes; plain-text
passwords shall never be stored or logged.
REQ-NF03 (Usability): A first-time user shall be able to complete the
registration and first booking within 10 minutes without
assistance.
REQ-NF04 (Availability): The portal shall maintain 99.5% uptime during
business hours (07:00–22:00 local time), excluding planned
maintenance windows communicated 48 hours in advance.
Analyst habit: Before writing a single test case, number each requirement and mark it with its type (functional / performance / security / usability / availability). This up-front tagging drives which testing technique and which team owns each requirement.
Step 2 — Structure the Test Plan
A test plan is the governing document for a testing effort. It does not contain every test case — it defines scope, approach, responsibilities, schedule, and entry/exit criteria. A lean but complete test plan for CPP v1.0 looks like this:
TEST PLAN — Clinic Patient Portal (CPP) v1.0
1. SCOPE
In scope : All requirements in SRS v1.0 (REQ-F01 to REQ-F06,
REQ-NF01 to REQ-NF04).
Out of scope : Admin panel, payment integration (v2.0 scope).
2. TEST LEVELS & OWNERS
Unit testing : Development team (each module)
Integration testing : Development team (API contracts)
System testing : QA team (full SRS coverage)
UAT : 3 clinic receptionists + 5 patients (pilot group)
3. TEST DESIGN TECHNIQUES
Equivalence partitioning + boundary value analysis : REQ-F01 (passwords)
Decision table testing : REQ-F02 (lockout logic)
Use-case testing : REQ-F03, REQ-F04, REQ-F05
Performance testing : REQ-NF01
Security testing : REQ-NF02
Exploratory / usability : REQ-NF03
4. ENTRY CRITERIA (testing may begin when)
- All SRS-covered features have passed code review.
- A stable build is deployed to the staging environment.
- Test data (10 demo patients, 3 doctors, 30-day slot grid) is loaded.
5. EXIT CRITERIA (release is approved when)
- 100% of critical/high test cases executed and passed.
- Zero open Critical defects; no more than 3 open Medium defects.
- UAT sign-off obtained from clinic representative.
- REQ-NF01 performance benchmark met on staging.
6. DEFECT MANAGEMENT
Tool: project issue tracker.
Severity levels: Critical / High / Medium / Low.
Critical defects block the release; all others logged for triage.
7. SCHEDULE (indicative)
Unit + integration testing : Weeks 1–2
System testing : Weeks 3–4
UAT : Week 5
Performance & security : Week 5 (parallel)
Defect fix + regression : Week 6
Go/No-Go decision : End of Week 6
Step 3 — Derive Representative Test Cases
With the test plan in place, you now write test cases for a representative sample of requirements. A complete suite for CPP would contain 80-120 test cases; the six cases below are the analyst-designed anchors — one per functional requirement — from which the QA team extends coverage.
TEST CASE TC-01
Requirement : REQ-F01 (Registration)
Technique : Boundary Value Analysis on password field
Precondition: No account exists for test@clinic.example
Steps : 1. Navigate to /register.
2. Enter email = test@clinic.example.
3. Enter password = "Abc1234" (7 chars — one below minimum).
4. Submit form.
Expected : System rejects submission; error message states the
password must be at least 8 characters.
Step 5 : Change password to "Abc12345" (exactly 8 chars, 1 uppercase, 1 digit).
Submit form.
Expected : Account created; confirmation email dispatched.
Priority : Critical
TEST CASE TC-02
Requirement : REQ-F02 (Account lockout)
Technique : Decision table
Precondition: Account exists for lock@clinic.example; no prior failed attempts.
Steps : 1. Attempt login with wrong password 5 times consecutively.
Expected (after attempt 5): System displays "Account locked for 30 minutes"
and prevents further login attempts.
Step 2 : Wait 31 minutes. Attempt login with correct password.
Expected : Login succeeds; failed-attempt counter reset to 0.
Priority : Critical
TEST CASE TC-03
Requirement : REQ-F03 (Appointment search)
Technique : Use-case / positive path
Precondition: At least 3 available slots exist for Dr. Ahmed, Cardiology,
within the next 7 days.
Steps : 1. Log in as patient.
2. Navigate to Search Appointments.
3. Filter by doctor = "Dr. Ahmed", specialty = "Cardiology",
date range = today to today + 7 days.
4. Submit search.
Expected : Results list returns at least 3 slots; each shows doctor name,
date, time, and location. Response time < 3 seconds.
Priority : High
TEST CASE TC-04
Requirement : REQ-F04 (Book appointment and confirmation email)
Technique : Use-case / integration
Precondition: Patient logged in; 1 available slot for Dr. Salem on 2026-07-15 at 10:00.
Steps : 1. Select the 10:00 slot from search results.
2. Confirm booking.
Expected : (a) Confirmation screen appears with booking reference.
(b) Slot availability decrements from 1 to 0.
(c) Confirmation email arrives at patient inbox within 60 seconds.
Priority : Critical
TEST CASE TC-05
Requirement : REQ-F05 (Cancellation — within allowed window)
Technique : Boundary value on cancellation deadline
Precondition: Patient has a booking for 14:00 today.
Current time = 11:59 (1 minute before the 2-hour cutoff).
Steps : 1. Navigate to My Appointments.
2. Select the 14:00 booking. Click Cancel.
Expected : Cancellation succeeds; slot is freed; patient receives
cancellation confirmation email.
Variant : Repeat with current time = 12:01 (1 minute past cutoff).
Expected : System prevents cancellation; displays error: "Cancellations
must be made at least 2 hours before the appointment."
Priority : High
TEST CASE TC-06
Requirement : REQ-F06 (Appointment history)
Technique : Use-case / data boundary
Precondition: Patient has 14 past appointments; 13 within the last 12 months,
1 from 13 months ago.
Steps : 1. Log in. Navigate to My Profile → History.
Expected : Exactly 13 appointments are displayed. The appointment from
13 months ago is not shown.
Priority : Medium
Always pair positive and negative paths. TC-05 contains both the valid cancellation (1 minute inside the window) and the blocked cancellation (1 minute outside). Boundary value analysis at a business rule boundary is one of the highest-yield techniques in the analyst toolkit — it surfaces the edge cases developers most often miss.
Step 4 — Map to a Requirements Traceability Matrix (RTM)
Once test cases are written, you map them into the RTM to confirm every requirement has at least one test case and every test case traces to at least one requirement. Below is the RTM for CPP v1.0 (condensed to show coverage rather than every extended test case).
Coverage gaps are the analyst\'s responsibility. If you finish the RTM and any requirement row shows no test case, you have a gap — not a QA problem, an analyst problem. Either the requirement was never testable (go back and rewrite it) or a test case was simply not written (write it now). A requirement with no test case is a requirement that will never be verified.
Step 5 — Identify the UAT Scenarios
Alongside the formal test case suite, the analyst writes end-to-end UAT scenarios that real stakeholders will execute. UAT scenarios differ from test cases: they describe complete business journeys, not isolated conditions. For CPP v1.0, three UAT scenarios cover the main user workflows:
- UAT-01 "New Patient Journey": A new patient registers, searches for a cardiologist, books a slot, receives a confirmation email, and then views the appointment in their history. Acceptance owner: Patient representative.
- UAT-02 "Cancellation and Rebooking": A patient cancels a valid appointment (within the 2-hour window), confirms the slot is freed in search results, and immediately rebooks a different slot. Acceptance owner: Clinic receptionist.
- UAT-03 "Security Lockout Recovery": A patient enters the wrong password 5 times, waits 30 minutes (simulated with test data), and successfully recovers access with the correct password. Acceptance owner: Clinic IT administrator.
Analyst Takeaways
Stepping back from the CPP project, the workflow you have just applied is repeatable on any system of any size:
- Tag requirements by type before writing a single test case — type determines technique and owner.
- Write the test plan first — scope, entry/exit criteria, and responsibilities before individual test cases.
- Derive test cases from requirement conditions — decompose each requirement into testable predicates; each predicate becomes a positive or negative test case.
- Apply BVA at every numeric boundary — the 8-character password, the 2-hour cancellation window, the 12-month history limit, the 60-second email deadline — all are explicit boundaries the SRS handed you.
- Complete the RTM — it is the evidence of coverage, not just a bureaucratic artifact.
- Separate UAT scenarios from system test cases — UAT validates business journeys; system tests verify individual requirements.
This is the full analyst quality cycle. From SRS statement to test plan to test case to RTM to UAT scenario: you have now walked the complete path. In practice, a good analyst drafts the first version of the test plan and UAT scenarios at the same time the SRS reaches first-draft status — quality is designed in from the start, not bolted on at the end.