DCB Clinical Risk Management and ISTQB Risk-based Testing

Rex Black Rex Black

Rex Black

QA Architect at Epic Games. All posts here represent my own opinions, and are not made on behalf of Epic Games.

发布日期: 2020年7月4日
+ 关注

I'm currently doing some consulting work on an Electronic Healthcare Records (EHR) system, specifically in the areas of DevOps and QA. As many of you will know, I'm a major proponent of risk-based software testing, having covered that topic in detail first in my book Managing the Testing Process when it came out in 1999, and in a number of subsequent books, articles, lectures, and speeches, as well as what I wrote about risk-based testing in various ISTQB syllabi. As part of my consulting work, I was digging into the DCB standard on clinical risk management to evaluate its relationship to and usefulness for risk-based testing.  

In reading the DCB 0129 standard and related docs, it struck me that there may be a subtle difference in how the word "likelihood" is being used by DCB and how it's used in risk-based testing by the ISTQB. Consider these two excerpt sections, first DCB material and then ISTQB material:

DCB 0129

  • Implementation guide: Systematic faults are characteristic of software and, unlike random faults, the likelihood of their occurrence is not amenable to quantification. Thus their likelihood is subject to judgement on a qualitative scale.
  • Definition of Likelihood: Measure of the occurrence of harm.

ISTQB

  • Advanced Test Manager syllabus: Determining the level of risk typically involves assessing, for each risk item, the likelihood of occurrence and the impact upon occurrence. The likelihood of occurrence is the probability that the potential problem exists in the system under test. In other words, likelihood is an assessment of the level of technical risk [while impact is an assessment of the level of business risk]. 
  • Definition of likelihood: The probability that a risk will become an actual outcome or event.

Notice that the ISTQB is clearly talking about likelihood as a function of how likely the defect is to exist, not how frequently that defect would cause a failure to occur in production. In risk-based testing per the ISTQB, the frequency of occurrence of failure is a subfactor influencing the impact associated with a risk.  

I believe the DCB standard may be defining likelihood as how frequently a failure occurs in a production setting, though the implementation guide material is talking about the presence of faults, similar to the ISTQB. I'd be interested in feedback from people with experience in software testing and applying the DCB 0129 standard if you can clarify whether my understanding is correct and there is a difference between ISTQB risk-based testing and DCB clinical risk management on this point?  

要查看或添加评论,请登录

Rex Black的更多文章

社区洞察

其他会员也浏览了