How to ensure compliance in regulated environments

Set up a compliance process using Xray with this free checklist
Download Checklist Learn More

Organizations that work in a highly regulated industry such as medical/health, pharmaceutical, security, automotive, aerospace, and defense, know how important it is to comply with standards and regulatory requirements.

In order to meet regulations, manufacturers must maintain strict control over the development process, from testing to maintenance, and release. 

Xray test management app is a powerful test management app that can help you meet compliance and regulations in your industry. 

This article shows you how you can set up a process for compliance and risk management using Xray, so you can meet compliance, every step of the way. 


Ways to ensure regulatory and compliance needs

In order to have a proper, auditable process that complies with high-demanding regulatory requirements, you need to:

  • Ensure the persistence of historical data and change tracking
  • Ensure that historical data cannot be tampered 
  • Ensure that certain items can only be modified if people are allowed to do so
  • Ensure it's possible to identify who is responsible for what
  • Identify the relationship between entities
  • Ensure testing has been performed and that acceptance criteria have been covered
  • Proof of the exact testing/checks that were performed
  • Ensure diagnosis is facilitated and can be easily performed
  • Ensure effective risk management is in place

Next, you’ll learn how to set up a compliance process using unique Xray features and capabilities. 


7 ways to use Xray to establish a compliance process


1. Implement your own project organization with control over project entities

Xray supports different ways for you to organize your project related items. This enables teams to adapt usage of the tool with the way they need to. But more than that: it enables teams to enforce or apply different rules to different entities.

The common scenario is to have an all-in-one approach where standard issue types (e.g. Story, Bug, Task) live alongside testing issue types (e.g. Test, Test Execution, Test Plan).

However, some teams prefer to have testing entities on a separate Jira project to have finer control over the process. Other teams prefer to have defects on a distinct project, or even on a remote Jira instance for security/business reasons.

All these possible project organization scenarios are possible and allow teams to apply more restricted rules on the related entities.


2. Implement fine access control and permissions

Organizations working in regulated environments need to be able to control the access and the permissions on project artifacts, including the ones derived from testing activities.

Access and permissions for Jira issue-based entities (i.e. Test, Pre-Condition, Test Set, Test Plan, Test Execution, Sub-Test Execution) are handled in the same way as for any other issue type in Jira.

It's also possible to restrict the execution of Test Runs to its assignee so that only the assignee can update its contents.


3. Use custom defects with their own semantics 

Semantically, and to make it clear and be able to apply different rules, you can have different issue types than the traditional "Bug."

In Xray, it's possible to define the issue types to be handled as "defects." Therefore, whenever reporting a bug, the team can use the Bug issue type or any other custom issue type where they need.

Defects can also be covered explicitly with tests (if configured as "requirements"/coverable issue types), for explicit verification of the underlying bug fixes

Defects can be reported on the same project alongside other project issues or can be reported on a separate Jira project. Defects can also be reported on a separate but connected Jira instance. 


4. Define requirements and track them on multiple levels

Projects in Xray usually have multiple levels of requirements (e.g. Epic>Story). Some broad/complex needs may be addressed in smaller requirements. Value can therefore be decomposed in these different layers and it's important to track it and these layers.

In Xray, a "requirement" is any issue that can be covered with tests, no matter their type. The team can define which issue types can be handled as such, even their own custom issue types. 

Xray provides multiple levels of requirements. It also provides different ways to define this hierarchical relationship (e.g., using issue links, or sub-tasks)

Epic and Story issues, usual in Agile environments, can be covered directly by testing. Coverage made on the Story issues can automatically be tracked on the related Epic.

5. Track the relevant requirements across multiple versions and/or environments

Requirements exist beyond the scope of a specific version. Besides, a specific requirement may be used in different contexts (e.g., browsers, mobile devices).

Therefore we need to be able to track the status of requirements throughout time/versions and also on the different scenarios where they will be used. This (coverage) status is based on the integrated testing results, including the ones from test automation.

You can perform requirement analysis on a high-level (i.e. project), or for specific requirements.


6. Implement workflows on testing entities to have explicit control over the process

Teams can implement workflows on all Jira issue-based entities. This allows teams to implement rigorous processes, including on testing entities, leveraged by the flexibility of Jira workflows.

Additionally, Xray provides the ability to further restrict the use of some of these entities.

Possible workflow use cases:

  • have a workflow status to review test specifications
  • implement an approval mechanism, having one or more approvers
  • make items "read-only" when transitioned to a certain workflow status by setting a Jira property ("jira.issue.editable")
  • restrict usage of Tests in a certain workflow status 
  • disallow executions for Test Executions in a specific status 
  • reopen/review Tests upon changes on related requirements 
  • enforce that requirements cannot transition to a given status unless they are covered 

 7. Sign using e-signatures to track explicit reviewal/approval and ensure data integrity

Electronic/digital signatures are one of the common mechanisms employed to ensure that a document, for example, has been reviewed by one or more people and that no changes happened on the signed document meanwhile.

Xray issue-based entities (i.e. Test, Pre-Condition, Test Set, Test Plan, Test Execution, Sub-Test Execution) can all be digitally signed, using one of many available Jira apps for that purpose. This is something unique, as it provides full control over the core testing activities; not only Tests can be digitally signed, also Test Sets, or even Test Plans. See available Jira apps for e-signatures

How to ensure compliance for your organizational data

1. Record all meaningful testing evidence

Teams can follow different approaches/styles for testing: scripted (i.e. test cases and "automated" test scripts) and exploratory. No matter your testing approach, Xray can provide visibility of testing results, including evidence, all in one place: Jira.

Xray also supports exploratory testing with the Xray Exploratory App, a desktop app that can integrate with Xray to bring the best of both worlds: track exploratory testing evidence in Jira and reflect the evidence on the related requirements.

2. Ensure data persistence, history, and change tracking

In order for you to enable auditing and facilitate diagnosis, data must be stored, and changes, whenever applicable, need to be clearly identified.

In Xray, all data is persisted and can be easily tracked using a historical timeline. You can track all changes on Jira issue-based entities (i.e. Test, Pre-Condition, Test Set, Test Plan, Test Execution, Sub-Test Execution), as well as all Test Run activities. 


3. Ensure data is protected and can not be tampered with

In Xray, historical results like Test Results can not be modified. The same applies to past changes made on Jira issue-based entities.

It is also possible to make Xray issue-based entities read-only. Furthermore, Test specifications cannot be modified during the execution of the related test.


4. Export data in human-readable formats and automate data snapshots

You can export all core entities, including Test Runs into PDF, Word, or Excel documents, using fully customizable report documents.  With reports, you have a formal, readable, copy of the relevant test data, no matter if it's related to test specification or execution.

You can create reports with the built-in Document Generator capabilities for Xray, or with Xray built-in reports.


How to handle risks with Risk Management and Risk-Based Testing in Xray

Handling risks is an intrinsic part of good testing and is essential to organizations that work in highly regulated environments. 

Xray supports Risk-Based Testing and allows you to define risks at different levels: project, requirement, or at the test level.

Depending on your needs, you can implement risk management using Jira built-in capabilities or through an additional app. No matter the approach, you can use risks to pick the requirements and/or the tests that you need based on risk criteria.


1. Mitigate risk by fostering clarity and facilitating collaboration

The best way to avoid misunderstandings is to clarify them and make sure doubts don't get lost in the workflows. Collaboration within the team is a way of risk mitigation in itself. To facilitate this collaboration, you can add comments and evidence (e.g reference documentation) on all Xray issue-based entities. 


2. Trace the relationship between entities, up to the code

Xray provides full traceability between requirements, tests, their runs, and reported defects. This traceability not only provides the relation between the entities but also their status based on testing. 

You can evaluate traceability for a specific version and/or a specific environment, as its contents will depend on the testing results obtained for that specific context.


Ensure compliance every step of the way 

Working in a regulated industry brings a lot of challenges and risks. With the right tools and processes, you can ensure compliance and safely mitigate risks. 

With Xray, you can simplify the process of risk management, compliance, and traceability so you can meet regulations and get your products in the hands of those who need them most.

Download this free checklist to set up a process for compliance and risk management using Xray, so you can meet compliance, every step of the way.

Download Checklist

Take a look at these customers that meet compliance and regulatory requirements with Xray: 

More resources:


Comments (0)