Why Testing Needs Gates
Imagine starting system testing only to discover that the test environment is not set up, or half the features are still being coded. You would waste days before any meaningful testing could happen. Now imagine declaring testing “complete” without a clear definition of what “complete” means — every stakeholder would have a different opinion.
Entry and exit criteria solve both problems. They are the gates that control when a testing phase starts and when it can end.
What Are Entry Criteria?
Entry criteria are the preconditions that must be fulfilled before a specific testing phase can begin. They answer the question: “Are we ready to start?”
Think of entry criteria as a checklist at a gate. If all items are checked, the gate opens and testing proceeds. If items are missing, the team must address them first.
Common entry criteria include:
- Requirements are reviewed and approved
- Test environment is set up and accessible
- Test data is prepared
- Test cases are written and reviewed
- The build is deployed and a smoke test has passed
- All blocking defects from the previous phase are resolved
What Are Exit Criteria?
Exit criteria are the conditions that must be met to consider a testing phase complete. They answer the question: “Are we done?”
Without exit criteria, “done” becomes subjective. One person might think 80% test execution is enough; another might insist on 100%. Exit criteria remove ambiguity by establishing objective, measurable thresholds.
Common exit criteria include:
- A defined percentage of test cases have been executed (e.g., 95%)
- No open critical or high-severity defects
- Defect density is below an agreed threshold
- All planned test types (functional, regression, performance) are completed
- Test summary report is prepared and reviewed
Entry and Exit Criteria by STLC Phase
The specific criteria vary by testing phase. Below is a comprehensive reference table.
Unit Testing
| Entry Criteria | Exit Criteria |
|---|---|
| Code module is complete and compiles | All unit tests pass |
| Unit test framework is configured | Code coverage meets the target (e.g., 80%) |
| Coding standards review is done | No critical defects in the module |
Integration Testing
| Entry Criteria | Exit Criteria |
|---|---|
| Unit testing is complete (exit criteria met) | All integration test cases executed |
| Modules to be integrated are available | Interface defects are resolved |
| Integration test plan is approved | Data flow between modules verified |
| Test environment supports integration | Test summary report prepared |
System Testing
| Entry Criteria | Exit Criteria |
|---|---|
| Integration testing is complete | 95%+ test cases executed |
| Complete build deployed to test environment | No open critical/high defects |
| System test plan and cases reviewed | All functional requirements verified |
| Test data prepared | Non-functional requirements validated |
| Traceability matrix updated | Test summary report approved |
User Acceptance Testing (UAT)
| Entry Criteria | Exit Criteria |
|---|---|
| System testing exit criteria met | All UAT scenarios executed |
| UAT environment mirrors production | Business stakeholders sign off |
| Business users are trained and available | No open defects that block business processes |
| UAT test scenarios approved by business | Go-live decision documented |
Who Defines the Criteria?
Entry and exit criteria are not created by one person in isolation. They emerge from collaboration:
The QA Lead typically drafts the initial criteria based on experience and industry standards. Then the team reviews and adjusts them. The final, agreed-upon criteria are documented in the test plan and shared with all stakeholders.
Key principle: criteria must be measurable and objective. “Good enough quality” is not a valid criterion. “Zero critical defects and fewer than 5 high-severity defects” is.
Practical Examples
Example 1: E-Commerce Checkout Feature
Entry criteria for system testing:
- Payment gateway integration is complete
- Test credit card numbers are configured in sandbox
- Checkout flow is deployed to the staging environment
- Test cases cover all payment methods (credit card, PayPal, Apple Pay)
Exit criteria for system testing:
- All checkout scenarios tested across 3 browsers
- Payment processing verified for all supported currencies
- No defects with severity Critical or High
- Performance: checkout completes in under 3 seconds
Example 2: Mobile Banking App
Entry criteria for UAT:
- System testing exit criteria are met
- UAT environment uses production-like data (anonymized)
- Business testers have test accounts and devices
- Regulatory compliance checks are documented
Exit criteria for UAT:
- All 50 UAT scenarios executed by business users
- Sign-off obtained from Compliance, Operations, and Product
- Any deferred defects have workarounds documented
- Go-live checklist completed
What Happens When Criteria Are Not Met?
When entry criteria are not fully met, the team has three options:
- Wait — delay the phase until all criteria are met
- Proceed with risk — start testing with documented risks and a mitigation plan
- Waive specific criteria — formally agree to skip a criterion with stakeholder approval
The decision must be documented. In most organizations, proceeding with unmet criteria requires approval from the project manager or steering committee.
When exit criteria are not met, the team faces a similar decision: continue testing, release with known risks, or extend the timeline.
Best Practices
- Define criteria early — include them in the test plan, not as an afterthought
- Keep criteria measurable — use numbers, percentages, and specific conditions
- Get stakeholder agreement — criteria only work if everyone agrees to them
- Review and update — adjust criteria as the project evolves (scope changes, risk changes)
- Track progress — monitor exit criteria metrics daily during testing
- Document deviations — if criteria are waived, record who approved and why
Common Mistakes
- Setting criteria too strict — requiring 100% pass rate when 95% is realistic
- Setting criteria too loose — allowing critical defects to pass through
- Not documenting criteria — verbal agreements are forgotten
- Ignoring criteria under pressure — when deadlines loom, criteria are the first casualty
- One-size-fits-all criteria — different projects and phases need different thresholds
Exercise: Define Entry and Exit Criteria
Scenario: You are the QA Lead for a new feature in a healthcare patient portal. The feature allows patients to view and download their lab results as PDF. The portal handles sensitive medical data (HIPAA regulated).
Your task: Define entry and exit criteria for system testing and UAT of this feature.
Consider:
- What makes this project high-risk?
- What security-related criteria should be included?
- What compliance requirements affect the criteria?
- How strict should the defect threshold be?
Write your criteria in a table format for each phase.
Hint
Think about the unique aspects of healthcare software:
- HIPAA compliance requires audit trails and access controls
- Medical data accuracy is critical (wrong lab results could harm patients)
- PDF generation must be tested for data integrity
- Security testing (penetration testing, access controls) should be an entry or exit criterion
Solution
System Testing — Entry Criteria
| # | Criterion |
|---|---|
| 1 | Lab results integration with backend API is complete |
| 2 | PDF generation module is deployed and functional |
| 3 | Test environment configured with HIPAA-compliant logging |
| 4 | Test data contains anonymized but realistic lab results |
| 5 | Security test cases (access control, encryption) are reviewed |
| 6 | HIPAA compliance checklist is available |
| 7 | Smoke test passes on the build |
System Testing — Exit Criteria
| # | Criterion |
|---|---|
| 1 | 100% of critical path test cases executed (view, download, print) |
| 2 | 95% overall test case execution |
| 3 | Zero open Critical or High defects |
| 4 | Security testing complete: no unauthorized access possible |
| 5 | PDF content matches database records (data integrity verified) |
| 6 | Audit trail captures all access to lab results |
| 7 | Performance: PDF generates within 5 seconds |
UAT — Entry Criteria
| # | Criterion |
|---|---|
| 1 | System testing exit criteria met |
| 2 | UAT environment uses production-like data (anonymized real records) |
| 3 | Clinical staff and patient representatives are trained |
| 4 | Compliance officer is available for review |
| 5 | UAT scenarios approved by medical and compliance teams |
UAT — Exit Criteria
| # | Criterion |
|---|---|
| 1 | All UAT scenarios executed by clinical staff |
| 2 | Patient-facing flows verified by patient representatives |
| 3 | Compliance officer sign-off on HIPAA requirements |
| 4 | Zero defects that could lead to incorrect medical data display |
| 5 | Accessibility requirements verified (WCAG 2.1 AA) |
| 6 | Go/no-go decision documented with all stakeholder signatures |
Why these criteria are appropriate:
- Stricter than typical projects because of HIPAA regulation and patient safety
- 100% execution on critical paths (not just 95%) because medical data accuracy is non-negotiable
- Includes compliance-specific exit criteria that standard projects would not need
- Requires explicit sign-off from clinical and compliance stakeholders
Key Takeaways
- Entry criteria prevent premature starts; exit criteria prevent premature endings
- Criteria must be measurable, documented, and agreed upon by stakeholders
- Different STLC phases need different criteria
- Regulated industries require stricter and more specific criteria
- When criteria cannot be met, document the deviation and get formal approval