QA How-To
Defect life cycle explained (2026)
Get the defect life cycle explained with practical states, ownership, severity, priority, triage, metrics, workflows, and QA interview answers for 2026.
16 min read | 3,253 words
TL;DR
The defect life cycle turns a defined risk into repeatable evidence. Select a narrow target, control the environment, use a trustworthy oracle, preserve failures, and connect every result to a release or engineering decision.
Key Takeaways
- Start the defect life cycle with a documented product risk and a precise oracle.
- Keep scope, data, permissions, and cleanup controlled so results are repeatable.
- Use automation for deterministic setup, execution, evidence, and regression.
- Preserve minimal reproductions and classify product, test, and environment failures separately.
- Combine the defect life cycle with complementary test levels instead of expecting one suite to prove quality.
- Review tests as architecture, interfaces, and customer workflows evolve.
The defect life cycle explained simply is the controlled path a reported problem follows from discovery through review, fixing, verification, and closure. This guide gives QA engineers the states, transition rules, evidence, roles, and metrics needed to manage defects without bureaucratic handoffs.
There is no universal set of labels. What matters is that every state has a clear meaning, owner, entry evidence, allowed next actions, and service expectation. A lean workflow protects product quality while keeping decisions visible.
TL;DR
defect life cycle explained in one view:
| State | Meaning | Primary owner | Valid next decisions |
|---|---|---|---|
| New | Report awaits review | QA or triage owner | Triaged, Duplicate, Rejected |
| Triaged | Impact and ownership agreed | Product and engineering | Ready, Deferred |
| In Progress | Change is being implemented | Developer | Ready for QA |
| Ready for QA | Fix is deployed and testable | QA | Verified, Reopened |
| Closed | Closure criteria are satisfied | QA or product | Reopened |
Use the technique when its evidence changes a release, design, or operational decision. Keep scope explicit and preserve artifacts that let another engineer reproduce the result.
1. Defect Life Cycle Explained from First Principles
A defect is an observed difference between expected and actual behavior that matters to a stakeholder. The life cycle is a state machine for deciding whether the observation is valid, when it will be addressed, whether a change resolves it, and when the record can stop demanding attention.
The workflow should preserve evidence and accountability, not create status theater. Every transition needs a reason. For example, moving from New to Rejected should capture whether behavior matches specification, evidence is insufficient, the issue duplicates another record, or the report belongs outside the product.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
2. Understand the Core Bug Life Cycle Stages
A practical baseline is New, Triaged, Ready for Development, In Progress, Ready for QA, Verified, and Closed. Alternate outcomes include Duplicate, Cannot Reproduce, Deferred, Rejected, and Reopened. Keep terminal and active states visually distinct.
Define what each state excludes. Ready for QA should mean a build is available in a named environment and the fix scope is known. Verified should mean the original failure no longer occurs and appropriate regression evidence exists. Closed may additionally require release or stakeholder confirmation.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
For deeper context, compare this workflow with how to write test cases and manual testing interview questions. Those guides help place the technique within a balanced QA strategy instead of treating it as a standalone gate.
3. Write a Triage-Ready Defect
A useful report contains a concise observed problem, environment and build, preconditions, minimal steps, actual result, expected result with an oracle, impact, reproducibility, and attachments. Logs and traces should be trimmed to the relevant time and request identifiers.
Separate fact from inference. State what was observed before suggesting a suspected root cause. Provide copyable data and exact timestamps. Remove secrets and personal information from evidence. A developer should be able to reproduce or begin diagnosis without scheduling a meeting.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
4. Set Severity and Priority Correctly
Severity describes impact on the product or user. Priority describes when the organization intends to act. A reproducible data-loss issue is normally severe even if it affects a disabled beta feature and is not scheduled immediately. A typo in a launch campaign can be low severity but urgent priority.
Use written definitions with examples. Consider scope, workaround, data integrity, security, legal exposure, revenue path, and recovery. Product and engineering jointly set priority, while QA should challenge impact assumptions with evidence.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
5. Run Effective Defect Triage
Triage confirms validity, ownership, impact, urgency, and next action. Participants should review high-risk new items, aging blockers, reopened defects, and disputed decisions. Routine low-risk reports can be handled asynchronously.
Time-box discussion and record the decision. If reproduction is missing, assign a specific evidence task instead of leaving the report in New. If deferred, capture the reason, review date, and risk owner. If duplicate, link both directions and preserve unique evidence.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
Runnable example
-- Example analytics query for PostgreSQL defect transition history.
-- transition_history(defect_id, from_state, to_state, changed_at)
WITH ordered AS (
SELECT defect_id, from_state, to_state, changed_at,
lead(changed_at) OVER (PARTITION BY defect_id ORDER BY changed_at) AS next_change
FROM transition_history
)
SELECT to_state AS state,
count(*) AS visits,
round(avg(extract(epoch FROM (next_change - changed_at)) / 3600)::numeric, 2) AS avg_hours
FROM ordered
WHERE next_change IS NOT NULL
GROUP BY to_state
ORDER BY avg_hours DESC;
Adapt names, URLs, credentials, and fixtures to a disposable test environment. The APIs shown are real, but the example domain is intentionally small so the control flow and oracle stay visible.
6. Move a Defect Through Development
When work starts, the developer should confirm the affected area and update assumptions if scope changes. Link the code change, tests, configuration, and deployment artifact. Explain root cause and fix approach in language that helps QA target regression.
A fix is not ready for QA merely because code was merged. The designated build must contain the change, required flags and data must be known, and automated checks should pass. Handoff quality directly affects verification time.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
7. Verify, Reopen, and Close
Verification repeats the minimal reproduction on the fixed build, then explores adjacent risks suggested by root cause and code scope. Confirm the intended platforms, roles, locales, data states, or integrations. Preserve evidence for the verified result.
Reopen when the acceptance condition is still violated or the same root cause produces the same impact. Create a linked new defect when the observed problem is materially different. Closure criteria should be explicit so reporting is consistent across teams.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
8. Handle Special Resolutions Transparently
Cannot Reproduce means the team attempted specified conditions but could not observe the behavior. It is not a synonym for invalid. Record attempts, environments, and missing evidence. Rejected means the team decided the report is not a product defect, with rationale.
Deferred accepts that risk remains. Name the decision owner and review trigger. Known Issue communicates an accepted defect to users or support. Duplicate consolidates work but should retain reporters, environments, and votes that reveal scope.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
This is also where root cause analysis guide becomes useful. Boundary-specific evidence should connect to the broader journey and release risk.
9. Measure Flow Without Gaming It
Useful measures include time to triage, time in active states, reopen rate, escaped defect themes, aging by risk, and verification queue time. Segment by severity and work type. A single average hides blocked critical items and long-tailed distributions.
Metrics are diagnostic signals, not individual performance scores. High defect counts can mean poor quality, excellent testing, a risky migration, or better reporting. Pair counts with change volume, impact, detection phase, root cause, and customer outcomes.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
10. Customize the Defect Life Cycle Explained Workflow
Start with the smallest state set that supports real decisions. Document allowed transitions, required fields, owners, and automation. Use workflow validators sparingly because excessive mandatory fields encourage fabricated data and slow urgent reporting.
Review the system quarterly. Merge states nobody distinguishes, automate build and deployment metadata, archive stale deferred items through a risk review, and sample closed reports for evidence quality. The workflow should improve learning as well as throughput.
A practical review asks four questions: what customer or system risk is represented, what exact observation counts as failure, how will the test return the environment to a known state, and who acts on the result? Write those answers beside the test. This prevents an impressive technical exercise from becoming disconnected from delivery decisions.
Evidence and review checkpoint
Before accepting this part of the strategy, run a peer review with QA, development, and the system owner. Show the precondition, the action, the expected invariant, and the artifact produced when the invariant fails. Ask a second engineer to reproduce one passing and one deliberately failing case from the written instructions. Record the application revision, configuration, test-data identifier, start time, and relevant correlation identifiers. This checkpoint exposes hidden dependencies and weak oracles early. It also creates an audit trail that remains useful when the original author is unavailable or the test moves into a different pipeline.
Interview Questions and Answers
Interviewers want judgment, not a memorized definition. Use a concise situation, explain the oracle and tradeoff, and state what the technique cannot prove.
Q: How would you explain the defect life cycle in an interview?
I would define the boundary, the risk it addresses, and the evidence it produces. I would then contrast it with a neighboring test level and give one concrete example. Most importantly, I would explain its limits so the interviewer knows I do not treat one technique as complete quality proof.
Q: How would you introduce the defect life cycle to an existing team?
I would select one costly or credible risk, create a small reproducible pilot, and agree on an oracle before automating. I would measure diagnosis quality and defects found, then expand only when the workflow is stable. This keeps adoption tied to product risk rather than tool enthusiasm.
Q: What should block a release in the defect life cycle?
A repeatable failure should block when it violates an agreed critical invariant or release criterion. I would also block when missing telemetry or setup makes a required high-risk result unknowable. Lower-risk findings can follow the team's documented acceptance and ownership process.
Q: How do you prevent flaky results in the defect life cycle?
I control inputs, environment, time, identity, and shared state, then wait on observable conditions instead of arbitrary delays. I preserve enough evidence to identify the first divergence. Retries may help classify instability, but the original failure remains visible and owned.
Q: How do you choose what to test first with the defect life cycle?
I rank candidates by customer impact, likelihood, change frequency, integration complexity, and how hard failures are to detect elsewhere. I start with a narrow scenario that is safe and diagnosable. The first case should demonstrate useful evidence, not maximum breadth.
Q: How do you report the defect life cycle results?
I report scope, environment, revision, inputs, expected oracle, actual evidence, and residual uncertainty. I separate product failures from harness or environment failures. For each confirmed problem, I provide a minimal reproducer, impact, owner, and retest condition.
Q: What is the limitation of the defect life cycle?
It proves only the behavior covered by its target, inputs, environment, and oracle. It cannot establish absence of defects. I combine it with complementary test levels, production telemetry, and risk review rather than inflating its result into a broad quality claim.
Common Mistakes
- Starting with a tool before defining the product risk and observable failure.
- Expanding scope before the smallest scenario is deterministic and diagnosable.
- Treating activity, coverage, or a green status as proof that customer outcomes are correct.
- Sharing mutable data or identities across parallel runs.
- Hiding the original failure behind retries, averages, or incomplete logs.
- Keeping obsolete tests after architecture, interfaces, or workflows change.
- Closing findings without a regression check and named risk owner.
A strong practice does the opposite: it uses explicit preconditions, a trustworthy oracle, bounded execution, preserved evidence, and a documented decision. Review failures for patterns and improve both the product and the test system.
Conclusion
defect life cycle explained is most useful when it connects a realistic risk to repeatable evidence. Begin with one narrow, high-value case, make its setup and oracle unambiguous, and automate only after the workflow is trustworthy.
Use the results to improve design, diagnostics, and regression coverage. Your next step is to choose one recent defect or incident, express the missed expectation as a testable invariant, and build the smallest safe test that can challenge it.
Interview Questions and Answers
How would you explain the defect life cycle in an interview?
I would define the boundary, the risk it addresses, and the evidence it produces. I would then contrast it with a neighboring test level and give one concrete example. Most importantly, I would explain its limits so the interviewer knows I do not treat one technique as complete quality proof.
How would you introduce the defect life cycle to an existing team?
I would select one costly or credible risk, create a small reproducible pilot, and agree on an oracle before automating. I would measure diagnosis quality and defects found, then expand only when the workflow is stable. This keeps adoption tied to product risk rather than tool enthusiasm.
What should block a release in the defect life cycle?
A repeatable failure should block when it violates an agreed critical invariant or release criterion. I would also block when missing telemetry or setup makes a required high-risk result unknowable. Lower-risk findings can follow the team's documented acceptance and ownership process.
How do you prevent flaky results in the defect life cycle?
I control inputs, environment, time, identity, and shared state, then wait on observable conditions instead of arbitrary delays. I preserve enough evidence to identify the first divergence. Retries may help classify instability, but the original failure remains visible and owned.
How do you choose what to test first with the defect life cycle?
I rank candidates by customer impact, likelihood, change frequency, integration complexity, and how hard failures are to detect elsewhere. I start with a narrow scenario that is safe and diagnosable. The first case should demonstrate useful evidence, not maximum breadth.
How do you report the defect life cycle results?
I report scope, environment, revision, inputs, expected oracle, actual evidence, and residual uncertainty. I separate product failures from harness or environment failures. For each confirmed problem, I provide a minimal reproducer, impact, owner, and retest condition.
What is the limitation of the defect life cycle?
It proves only the behavior covered by its target, inputs, environment, and oracle. It cannot establish absence of defects. I combine it with complementary test levels, production telemetry, and risk review rather than inflating its result into a broad quality claim.
Frequently Asked Questions
What is the defect life cycle?
the defect life cycle is a disciplined testing approach used to expose risks before they affect users. Teams define an explicit scope, observable success criteria, and repeatable evidence rather than treating the activity as an informal check.
When should a QA team use the defect life cycle?
Use it when the related failure mode can create material customer or delivery risk. Start after basic functional checks are stable, then run it at the lowest environment and frequency that still produces trustworthy evidence.
Can the defect life cycle be automated?
Yes, but automation should follow a clear manual model of the risk. Automate repeatable setup, execution, evidence collection, and cleanup while keeping approval gates for actions that could affect shared or production systems.
Who owns the defect life cycle?
Ownership is shared. QA shapes scenarios and evidence, developers make components testable, platform engineers provide safe controls and telemetry, and product owners help rank customer impact.
How do you measure success in the defect life cycle?
Measure whether critical behavior remains correct, failures are detected quickly, evidence is actionable, and follow-up defects reduce residual risk. A raw pass percentage is not enough without coverage and impact context.
What is the biggest mistake in the defect life cycle?
The biggest mistake is executing tests without a precise oracle or decision rule. A test that produces activity but cannot distinguish acceptable behavior from risk creates noise rather than confidence.