Maintenance Standards
This chapter defines the standards that projects with TQS certification must comply with to maintain their certification status. It includes certification validity period, minor/patch update management, CI pass monitoring, periodic reporting, and certification status change reasons.
34.1.1. Certification Validity Period
The validity period of TQS certification is determined based on the version lifecycle of the certified project.
| Item | Criteria |
|---|---|
| Default validity period | Until the next major version release (maximum 1 year) |
| Validity start date | Certificate issuance date |
| Upon expiration | Renewal audit required |
| Early expiration reasons | Major version release, certification suspension, certification revocation |
The certification validity period begins from the certificate issuance date and expires when the next major version is released or when a maximum of 1 year has elapsed. If a major version is released within 1 year, the certification expires at the time of the major version release. If no major version is released for more than 1 year, it expires after 1 year.
A renewal audit must be requested before the validity period expires. The renewal audit must be requested at least 2 weeks before the expiration date. If the renewal audit is not completed by the expiration date, the certification is automatically suspended.
34.1.2. Minor/Patch Update Management
Minor version (e.g., v1.1 to v1.2) or patch version (e.g., v1.1.0 to v1.1.1) updates do not affect the certification validity period. No separate renewal audit is required; confirming CI pipeline passage is sufficient.
The following requirements must be observed during minor/patch updates.
- After the update, it must be confirmed that the CI pipeline passes completely.
- Test coverage must be maintained at or above the certification thresholds (line 80%, branch 70%).
- When adding new dependencies, OWASP Dependency-Check must be run to verify security vulnerabilities.
- Changes that violate existing TQS standard items must not be included.
If significant technology stack changes occur in a minor/patch update (e.g., major library replacement, architecture changes), a change audit must be requested. Regardless of the minor/patch version number, the TQS Committee may require a change audit if the scope of substantive changes is large.
34.1.3. CI Pass Monitoring
To maintain certification, the CI pipeline must pass consistently. Continuous CI pipeline failures are considered a situation where the project's compliance with quality standards is in doubt.
34.1.3.1. Monitoring Items
Project teams must continuously monitor the following items.
| Monitoring Item | Criteria | Verification Frequency |
|---|---|---|
| Build success rate | Maintain 90% or higher | Weekly |
| Test pass rate | 100% (all tests pass) | Every commit |
| Coverage trend | Maintain at or above certification threshold | Weekly |
| Security scan results | 0 vulnerabilities with CVSS 7.0+ | Weekly |
| Format/lint pass | 0 violations | Every commit |
34.1.3.2. Warnings and Notifications
When CI pipeline failures are repeated, the following escalation actions are performed.
| Condition | Action |
|---|---|
| 3 consecutive failures | Internal warning within the project team (self-managed) |
| 5 consecutive failures | Automatic notification to TQS Committee |
| 10 consecutive failures | TQS Committee requests root cause analysis |
| 30+ consecutive days of failure | Certification suspension review |
At 5 consecutive failures, the TQS Committee is automatically notified. After notification, the project team must report the cause of failure and resolution plan to the TQS Committee. If CI fails consecutively for 30 or more days, the TQS Committee reviews certification suspension.
34.1.4. Periodic Reporting
Projects maintaining certification may submit quarterly certification maintenance reports. Periodic report submission is optional, but submitting reports provides the benefit of reduced audit scope during renewal audits.
34.1.4.1. Report Contents
Periodic reports must include the following items.
| Item | Content | Data Source |
|---|---|---|
| CI pass rate | Build success rate for the quarter | CircleCI dashboard |
| Coverage trend | Line/branch coverage change trend | JaCoCo, Vitest reports |
| Security scan results | Vulnerability discovery/resolution status for the quarter | OWASP report |
| Major changes | Technology stack changes, architecture changes, major feature additions | Project change history |
| Certification criteria maintenance status | Summary of compliance status for each mandatory item | Self-assessment results |
34.1.4.2. Report Submission and Benefits
- Submission frequency: Once per quarter (every 3 months)
- Submission method: Written submission to the TQS Committee
- Benefits of submission: Items confirmed through periodic reports may be exempt from re-verification during renewal audits. This can shorten the renewal audit period.
- There are no penalties for not submitting reports. However, all items must be re-verified during the renewal audit.
34.1.5. Certification Status Change Reasons
The certification status may be changed when the following reasons occur.
| Reason | Result | Response Method |
|---|---|---|
| Major version release | Renewal audit required | Request renewal audit before release |
| Long-term CI failure (30+ days) | Certification suspension | Request restoration after resolving failure cause |
| Security incident occurrence | Security item re-audit | Request re-audit after completing response measures |
| TQS standard revision | Respond within grace period | Request re-verification after applying changed items |
| Voluntary request by project team | Certification suspension or revocation | Submit request form to TQS Committee |
34.1.5.1. Major Version Release
When a major version is released (e.g., v1.x to v2.x), the existing certification expires. A renewal audit must be passed for the major version to maintain certification. It is recommended to request the renewal audit before the major version release.
34.1.5.2. Long-term CI Failure
If the CI pipeline fails consecutively for 30 or more days, the TQS Committee may decide to suspend certification. Before the suspension decision, the project team is notified in advance, and a 14-day resolution period is granted. If CI is restored to normal within the resolution period, suspension can be avoided.
34.1.5.3. Security Incident Occurrence
If a security incident (data breach, unauthorized access, vulnerability exploitation, etc.) occurs in the project, the TQS Committee may require a re-audit of security items. The project team must complete incident response measures (root cause analysis, recurrence prevention measures, security configuration reinforcement) and then request the re-audit.
34.1.5.4. TQS Standard Revision
When TQS standards are revised, a grace period is granted to existing certified projects. The grace period is determined by the TQS Committee based on the scope and difficulty of the standard changes, with a default grace period of 3 months. If the changed standard items are not applied within the grace period, certification may be suspended.