Software testing: A risk-based approach

Software Testing risk-based approach

Here in CompuCal we have been working on the development and testing of software for regulated industries for over 25 years. Thus, we know the challenges and the needs of the sector. We know that the documented validation of the software is a requirement for compliance with FDA, FSMA and other relevant regulations.

There are three things we should consider when planning software testing:

  • The testing resources (time, number of testers, equipment) are quantitative and qualitative limited.
  • There is an exponential sequence of combinations that users can do when interacting with a program. This means it is close to impossible to test every situation.
  • There are issues with higher impact on software’s functionality than others.

We need to prioritise our testing efficiently, focusing on the fundamental testing purpose of delivering software with as little defects as possible. In other words, we need to implement a Risk-Based Testing approach.

For the purpose of that approach and the criticality assessment we define the risk (a) embedded to the software itself, and (b) related to our resources (time, people). At the same time, we need to investigate the risk of a potential defect in terms of its impact to the final user of the software.

Risk Assessment

Based on the Risk assessment we can efficiently decide how we should distribute the testing effort during the testing cycle. We could use the following commonly accepted terminology to define the risk or in other words to prioritise our testing activities:

  • Severity: the impact of a potential defect to the user
  • Probability: likelihood of a fault occurring
  • Detectability: likelihood that the fault will be noted before harm occurs
Risk assessment matrix
Source: ISPE 2008,

Taking into consideration the above three factors and using a matrix template (figure 1) we can evaluate the risk included to each area within our testing scope. High risk areas with low or medium detectability will define a high priority in our testing process.

In general, we could say that severity depends on the nature of the product and the criticality of the area under testing. Probability mainly depends on the complexity of the code applied for a specific feature. Detectability depends on the nature of the feature. However, those are just few basic factors related to severity, probability and detectability, not an exhaustive list.

Risk-Based Testing is a must! It is a fundamental process which dramatically contributes to the quality of delivered product.

CompuCal’s Software testing

CompuCal Calibration Management Software is fully validated and all updates are tested following GAMP 5 guidelines.

It is the best calibration management solution for regulated industries like life sciences, pharmaceutical and food and beverage. Oil & Gas and Manufacturing industries can also benefit from CompuCal. For more information, contact us now.