Testing, Validation & Quality Assurance

Project: A Test Plan from an SRS

18 min Lesson 10 of 10

Project: A Test Plan from an SRS

Throughout this tutorial you have studied verification and validation, test levels, requirements-based test cases, design techniques, UAT, the Requirements Traceability Matrix, defect management, non-functional testing, and quality gates. This final lesson brings those skills together in a single, realistic exercise: deriving a complete test plan and representative test cases directly from a sample Software Requirements Specification (SRS).

The scenario is a Clinic Patient Portal — an online system that lets patients book appointments, view medical records, and receive automated reminders. The SRS excerpt below is deliberately representative of real project documentation: some requirements are crisp and testable, others need a moment of analyst thought before test conditions emerge. You will walk through the full analyst workflow from SRS to test plan.

Step 1 — Read the SRS Extract

The following extract is drawn from a fictional but realistic SRS for the Clinic Patient Portal (CPP). Study it before reading further — your test plan derives exclusively from these statements.

SOFTWARE REQUIREMENTS SPECIFICATION Project: Clinic Patient Portal (CPP) v1.0 Prepared by: Systems Analysis Team --- FUNCTIONAL REQUIREMENTS --- REQ-F01: A visitor shall be able to register an account using a valid email address and a password of at least 8 characters containing at least one uppercase letter and one digit. REQ-F02: A registered patient shall be able to log in with their email and password. After 5 consecutive failed login attempts the account shall be locked for 30 minutes. REQ-F03: A patient shall be able to search for available appointment slots by doctor name, specialty, and date range. REQ-F04: A patient shall be able to book an available appointment slot. The system shall send a confirmation email within 60 seconds and decrement the slot availability by 1. REQ-F05: A patient shall be able to cancel a booked appointment up to 2 hours before the scheduled time. Slots cancelled within this window shall be marked "unavailable" with a reason code. REQ-F06: The system shall display the patient\'s last 12 months of appointment history on their profile page. --- NON-FUNCTIONAL REQUIREMENTS --- REQ-NF01 (Performance): The appointment search results page shall return results in under 3 seconds for 95% of requests under a load of 200 concurrent users. REQ-NF02 (Security): All patient data shall be transmitted over TLS 1.2 or higher. Passwords shall be stored as salted hashes; plain-text passwords shall never be stored or logged. REQ-NF03 (Usability): A first-time user shall be able to complete the registration and first booking within 10 minutes without assistance. REQ-NF04 (Availability): The portal shall maintain 99.5% uptime during business hours (07:00–22:00 local time), excluding planned maintenance windows communicated 48 hours in advance.
Analyst habit: Before writing a single test case, number each requirement and mark it with its type (functional / performance / security / usability / availability). This up-front tagging drives which testing technique and which team owns each requirement.

Step 2 — Structure the Test Plan

A test plan is the governing document for a testing effort. It does not contain every test case — it defines scope, approach, responsibilities, schedule, and entry/exit criteria. A lean but complete test plan for CPP v1.0 looks like this:

TEST PLAN — Clinic Patient Portal (CPP) v1.0 1. SCOPE In scope : All requirements in SRS v1.0 (REQ-F01 to REQ-F06, REQ-NF01 to REQ-NF04). Out of scope : Admin panel, payment integration (v2.0 scope). 2. TEST LEVELS & OWNERS Unit testing : Development team (each module) Integration testing : Development team (API contracts) System testing : QA team (full SRS coverage) UAT : 3 clinic receptionists + 5 patients (pilot group) 3. TEST DESIGN TECHNIQUES Equivalence partitioning + boundary value analysis : REQ-F01 (passwords) Decision table testing : REQ-F02 (lockout logic) Use-case testing : REQ-F03, REQ-F04, REQ-F05 Performance testing : REQ-NF01 Security testing : REQ-NF02 Exploratory / usability : REQ-NF03 4. ENTRY CRITERIA (testing may begin when) - All SRS-covered features have passed code review. - A stable build is deployed to the staging environment. - Test data (10 demo patients, 3 doctors, 30-day slot grid) is loaded. 5. EXIT CRITERIA (release is approved when) - 100% of critical/high test cases executed and passed. - Zero open Critical defects; no more than 3 open Medium defects. - UAT sign-off obtained from clinic representative. - REQ-NF01 performance benchmark met on staging. 6. DEFECT MANAGEMENT Tool: project issue tracker. Severity levels: Critical / High / Medium / Low. Critical defects block the release; all others logged for triage. 7. SCHEDULE (indicative) Unit + integration testing : Weeks 1–2 System testing : Weeks 3–4 UAT : Week 5 Performance & security : Week 5 (parallel) Defect fix + regression : Week 6 Go/No-Go decision : End of Week 6
Test Plan Structure: from SRS to Release Decision SRS v1.0 REQ-F01..F06 REQ-NF01..NF04 Test Plan Scope · Levels · Techniques Schedule · Entry/Exit Criteria Functional Testing System tests · UAT Performance Testing Load test REQ-NF01 Security Testing TLS · password hashing Usability / Availability UAT walk-through · uptime SLA Go / No-Go Quality Gate
Test plan structure for CPP v1.0: the SRS drives a plan that fans out into functional, performance, security, and usability/availability streams, converging at the release quality gate.

Step 3 — Derive Representative Test Cases

With the test plan in place, you now write test cases for a representative sample of requirements. A complete suite for CPP would contain 80-120 test cases; the six cases below are the analyst-designed anchors — one per functional requirement — from which the QA team extends coverage.

TEST CASE TC-01 Requirement : REQ-F01 (Registration) Technique : Boundary Value Analysis on password field Precondition: No account exists for test@clinic.example Steps : 1. Navigate to /register. 2. Enter email = test@clinic.example. 3. Enter password = "Abc1234" (7 chars — one below minimum). 4. Submit form. Expected : System rejects submission; error message states the password must be at least 8 characters. Step 5 : Change password to "Abc12345" (exactly 8 chars, 1 uppercase, 1 digit). Submit form. Expected : Account created; confirmation email dispatched. Priority : Critical TEST CASE TC-02 Requirement : REQ-F02 (Account lockout) Technique : Decision table Precondition: Account exists for lock@clinic.example; no prior failed attempts. Steps : 1. Attempt login with wrong password 5 times consecutively. Expected (after attempt 5): System displays "Account locked for 30 minutes" and prevents further login attempts. Step 2 : Wait 31 minutes. Attempt login with correct password. Expected : Login succeeds; failed-attempt counter reset to 0. Priority : Critical TEST CASE TC-03 Requirement : REQ-F03 (Appointment search) Technique : Use-case / positive path Precondition: At least 3 available slots exist for Dr. Ahmed, Cardiology, within the next 7 days. Steps : 1. Log in as patient. 2. Navigate to Search Appointments. 3. Filter by doctor = "Dr. Ahmed", specialty = "Cardiology", date range = today to today + 7 days. 4. Submit search. Expected : Results list returns at least 3 slots; each shows doctor name, date, time, and location. Response time < 3 seconds. Priority : High TEST CASE TC-04 Requirement : REQ-F04 (Book appointment and confirmation email) Technique : Use-case / integration Precondition: Patient logged in; 1 available slot for Dr. Salem on 2026-07-15 at 10:00. Steps : 1. Select the 10:00 slot from search results. 2. Confirm booking. Expected : (a) Confirmation screen appears with booking reference. (b) Slot availability decrements from 1 to 0. (c) Confirmation email arrives at patient inbox within 60 seconds. Priority : Critical TEST CASE TC-05 Requirement : REQ-F05 (Cancellation — within allowed window) Technique : Boundary value on cancellation deadline Precondition: Patient has a booking for 14:00 today. Current time = 11:59 (1 minute before the 2-hour cutoff). Steps : 1. Navigate to My Appointments. 2. Select the 14:00 booking. Click Cancel. Expected : Cancellation succeeds; slot is freed; patient receives cancellation confirmation email. Variant : Repeat with current time = 12:01 (1 minute past cutoff). Expected : System prevents cancellation; displays error: "Cancellations must be made at least 2 hours before the appointment." Priority : High TEST CASE TC-06 Requirement : REQ-F06 (Appointment history) Technique : Use-case / data boundary Precondition: Patient has 14 past appointments; 13 within the last 12 months, 1 from 13 months ago. Steps : 1. Log in. Navigate to My Profile → History. Expected : Exactly 13 appointments are displayed. The appointment from 13 months ago is not shown. Priority : Medium
Always pair positive and negative paths. TC-05 contains both the valid cancellation (1 minute inside the window) and the blocked cancellation (1 minute outside). Boundary value analysis at a business rule boundary is one of the highest-yield techniques in the analyst toolkit — it surfaces the edge cases developers most often miss.

Step 4 — Map to a Requirements Traceability Matrix (RTM)

Once test cases are written, you map them into the RTM to confirm every requirement has at least one test case and every test case traces to at least one requirement. Below is the RTM for CPP v1.0 (condensed to show coverage rather than every extended test case).

Requirements Traceability Matrix for CPP v1.0 Requirement Description Test Cases Priority Covered? REQ-F01 Registration (email + password rules) TC-01 (BVA) Critical REQ-F02 Login + account lockout (5 attempts) TC-02 (Decision table) Critical REQ-F03 Appointment search (doctor/specialty/date) TC-03 (Use-case) High REQ-F04 Book slot + confirmation email (60 s) TC-04 (Use-case / integration) Critical REQ-F05 Cancellation (2-hour boundary) TC-05 (BVA) High REQ-F06 Appointment history (last 12 months) TC-06 (Data boundary) Medium REQ-NF01 Search < 3 s at 200 concurrent users PT-01 (Load test) High REQ-NF02 TLS + salted password storage ST-01, ST-02 (Security scan) Critical
Partial RTM for CPP v1.0 — every SRS requirement maps to at least one named test case with a technique, priority, and coverage confirmation.
Coverage gaps are the analyst\'s responsibility. If you finish the RTM and any requirement row shows no test case, you have a gap — not a QA problem, an analyst problem. Either the requirement was never testable (go back and rewrite it) or a test case was simply not written (write it now). A requirement with no test case is a requirement that will never be verified.

Step 5 — Identify the UAT Scenarios

Alongside the formal test case suite, the analyst writes end-to-end UAT scenarios that real stakeholders will execute. UAT scenarios differ from test cases: they describe complete business journeys, not isolated conditions. For CPP v1.0, three UAT scenarios cover the main user workflows:

  • UAT-01 "New Patient Journey": A new patient registers, searches for a cardiologist, books a slot, receives a confirmation email, and then views the appointment in their history. Acceptance owner: Patient representative.
  • UAT-02 "Cancellation and Rebooking": A patient cancels a valid appointment (within the 2-hour window), confirms the slot is freed in search results, and immediately rebooks a different slot. Acceptance owner: Clinic receptionist.
  • UAT-03 "Security Lockout Recovery": A patient enters the wrong password 5 times, waits 30 minutes (simulated with test data), and successfully recovers access with the correct password. Acceptance owner: Clinic IT administrator.

Analyst Takeaways

Stepping back from the CPP project, the workflow you have just applied is repeatable on any system of any size:

  1. Tag requirements by type before writing a single test case — type determines technique and owner.
  2. Write the test plan first — scope, entry/exit criteria, and responsibilities before individual test cases.
  3. Derive test cases from requirement conditions — decompose each requirement into testable predicates; each predicate becomes a positive or negative test case.
  4. Apply BVA at every numeric boundary — the 8-character password, the 2-hour cancellation window, the 12-month history limit, the 60-second email deadline — all are explicit boundaries the SRS handed you.
  5. Complete the RTM — it is the evidence of coverage, not just a bureaucratic artifact.
  6. Separate UAT scenarios from system test cases — UAT validates business journeys; system tests verify individual requirements.
This is the full analyst quality cycle. From SRS statement to test plan to test case to RTM to UAT scenario: you have now walked the complete path. In practice, a good analyst drafts the first version of the test plan and UAT scenarios at the same time the SRS reaches first-draft status — quality is designed in from the start, not bolted on at the end.

Tutorial Complete!

Congratulations! You have completed all lessons in this tutorial.

Previous Lesson Quality Gates & Release Readiness
Back to Course System Analysis
Back to Course