← Back to Blog

Jama Connect: The Trace Matrix Is Gone, and So Is 21 CFR 820.30

Jama Connect: The Trace Matrix Is Gone, and So Is 21 CFR 820.30

Two things will make almost any article about Jama Connect wrong, and both of them are recent.

The first: the Trace Matrix, the feature every writer reaches for when they need to say "and then you generate a traceability matrix," is not in the product any more. I checked by hand. Its documentation page returns HTTP 404 on both of Jama's current doc hosts, while Trace View, Coverage Explorer, Relationships and Impact Analysis all return 200. Telling a reader to run a Trace Matrix in Jama Connect is telling them to click a button that no longer exists.

The second: 21 CFR 820.30, the FDA "Design controls" section that every requirements-management vendor on earth cites as the reason you need their tool, ceased to exist as a standalone requirement on February 2, 2026. That was five months ago. Writing it in the present tense is now simply an error.

Underneath the marketing, the actual mechanic of this product is unglamorous, specific, and worth understanding before anyone signs a quote. Here it is.

Everything is an item, and that is the point

Jama Connect "is a product development platform that is database driven," in Jama's own words. Content is stored as items, "whether the item is a requirement, a risk, a test, or even project documentation," and an item type is a configurable category: system requirements, use cases, test cases.

This is the difference between Jama and a folder of Word documents. Not the fancy views. The fact that a requirement is a row with an identity, not a paragraph in a file. Jama's stated payoff is that "traceability is a by-product of the way you work," which is true only under a condition I will get to.

Items connect through relationships, and relationships have a direction. Per the docs, a relationship "indicates a direction of definition or abstraction from higher-level requirements or lower-level requirements, from requirements to verification, and from risks to mitigation," indicated by upstream and downstream. The consequence that does real work: "When an upstream item changes, the relationship between it and any downstream items is considered suspect."

Coverage is a division problem

Here is the load-bearing part almost nobody explains.

An org admin defines relationship rules. Per the setup page, you "add a rule by selecting the item type for Upstream, Downstream, and Relationship type from the drop-down menus." There is one checkbox that matters more than anything else in the product: "Select For coverage if you want this relationship included for coverage." The UI even encodes it visually, where "solid lines between items indicate a coverage (required) relationship" and "dashed lines indicate relationships that aren't for coverage."

Those rules define what Jama expects. Coverage is then the ratio of what exists to what was expected. Jama's own definition is that "coverage is the extent to which items are validated by another item," and that "typically, a requirement is considered 'covered' only if it has corresponding test cases against it and test engineers assigned to it," per the coverage docs.

The cleanest statement of the arithmetic is the Trace Score, "the overall percentage (0-100%) of the expected relationships in the project... as defined by the relationship rules set by the project admin. For example, if you have one item that can be related to three different items, the expected number of relationships is three. If you have two of those items, the expected number of relationships is six," says Jama. The score is scoped to the diagram you are looking at.

So: actual relationships divided by rule-expected relationships. That is the whole engine. Every view sits on top of it.

"Orphan" means one specific thing

Practitioners use "orphan" loosely to mean any requirement floating unconnected. Jama does not. Its Relationship Status Indicator is precise and directional:

  • Orphan Item: "Item is missing a required upstream relationship."
  • Missing Downstream: "Item is missing a required downstream relationship."
  • Suspect: "one or more upstream items have changed." The item that caused it is flagged Causing Suspect.

A requirement with no test case is not an orphan in Jama's vocabulary. It is Missing Downstream. A requirement nobody asked for, with no stakeholder need above it, is the orphan. In a design review that distinction is the difference between "we forgot to test this" and "we are building something no one requested." The indicator widget counts upstream items on top and downstream on the bottom, colouring red for "item not in compliance with relationship rules" and grey for in compliance.

The views that replaced the matrix

Per the 9.13.x release notes, Trace Matrix deprecation was announced in 8.76, it was disabled by default in 8.78 with an admin override, and after a transition period of a year or more it was removed outright, on the rationale of Trace View's "superior capabilities and significantly higher usage (over 20x)." That paragraph needs a hedge: the support article carrying the wording is behind Cloudflare, so the version numbers and the "20x" claim reach me through a search engine's rendition rather than the page itself. The removal is not in doubt. I ran the HTTP checks myself.

What you use instead, all of it currently documented:

Trace View "shows related upstream and downstream items... and any missing coverage (downstream relationship)," where "the red exclamation mark (!) indicates a missing relationship based on the relationship rule." It exports CSV, with a ceiling: "you can export a maximum of six levels from Trace View. If you try to export a view with more than six levels, the Export button is grayed out," per the export page.

Coverage Explorer "enables you to analyze the relationships established across items in your project and identify gaps," for instance "if any requirements lack verifications." It exports Excel, and a view cannot exceed 500 items per level.

Impact Analysis "shows you a complete picture of all upstream and downstream related items that might be affected by changes," run from Single Item View or a change request, per the docs.

Live Trace Explorer is the newer one, generally available rather than beta (the GA doc path returns 200 while the old beta path 404s). It "provides an at-a-glance snapshot of the traceability of your product requirements," answering how complete traceability is, by coverage percentage against the project's rules, and how good it is, by suspect links. An org admin enables it under ADMIN > Organization > Details and then per project, diagrams need a Creator license, and it exports PDF, per Jama.

Those ceilings, six levels and 500 items per level, are the kind of detail that never appears in a demo and always appears the week before an audit.

What it looks like on a real chain

Constructed strictly from the documented mechanics. Say an admin sets three rules, all with For coverage checked: Stakeholder Need to System Requirement, derived from; System Requirement to Subsystem Requirement, derived from; Subsystem Requirement to Test Case, verified by.

The chain runs NEED-12 "Clinician must be alerted within 2s of an occlusion" to SYS-45 "System shall detect occlusion and raise an audible alarm within 2000ms" to SUB-88 "Pump controller shall sample line pressure at 50Hz" to TC-301 "Verify alarm sounds within 2000ms of simulated occlusion."

The test model does the rest. Per Jama's testing docs, test cycles live in a plan and "when a case is associated with a cycle, a corresponding test run is created in that cycle." So TC-301 goes into a cycle, TR-301 appears, TR-301 fails, and the tester logs defect DEF-17, which "is traced to the originating test run to upstream test cases and requirements through the relationship configuration."

Now the states light up. SUB-88 is covered, rule three satisfied. A sibling SUB-89 with no test case shows Missing Downstream and a red exclamation in Trace View. A SYS-46 that an engineer wrote directly, with no stakeholder need above it, is an Orphan Item. Edit NEED-12's text and the link below it goes suspect while NEED-12 becomes Causing Suspect, and a human has to clear it. If the rules expected four relationships here and three exist, the Trace Score reads 75 percent. Baseline the set before the design review, since a baseline is "a snapshot of your project at a point in time" preserving each item and its relationships and states, and apply electronic signatures to freeze it.

The honest limitation

"Live Traceability™" is not a feature. There is no button. Jama defines it as automated, continuous tracking of requirements across the lifecycle, contrasted against after-the-fact traceability, a "tick-the-box" exercise that "frequently masks gaps in coverage until it is too late to fix them cost-effectively." The contrast is fair and the machinery underneath is real. But Jama renders it with a ™ while the product is Jama Connect®, and the concept lives on the marketing site, not in the help docs.

The counterweight comes from Jama's own documentation. Three sentences, read together:

  • "If you don't define a rule for a particular item type, that item type can have a relationship with anything (or nothing if the user chooses), even if the rule set is exclusive."
  • "Only future relationships are required to conform with the rule set." Existing links are grandfathered.
  • "If relationship rules haven't been applied to the project, an error appears only if the link is suspect."

A team that buys Jama Connect and skips rule configuration gets essentially no coverage signal. Not a bad one. None. The tool sits there reporting nothing wrong, indefinitely, and the Trace Score has nothing to divide by. Everything the marketing promises is downstream of an admin typing in rules that match how the organisation actually works. That is the buying decision people underestimate, and it is a people problem wearing a software costume.

The regulation everyone cites stopped existing

If you are evaluating this tool for a medical device programme, update your premise.

FDA's final rule "Medical Devices; Quality System Regulation Amendments," published February 2, 2024, states plainly: "This rule is effective February 2, 2026." It renames 21 CFR Part 820 the Quality Management System Regulation and incorporates by reference "the International Standard, ISO 13485:2016(E)... Third Edition, 2016-03-01," plus Clause 3 of ISO 9000:2015 for definitions. Part 820 now contains only "Subpart A, General Provisions, and Subpart B, Supplemental Provisions. Subparts C through O of the QS regulation have been removed and reserved," per the Federal Register text. Section 820.30 sat in Subpart C.

The obligations did not evaporate. Design and development now routes through ISO 13485:2016 Clause 7.3, and FDA confirmed the citation plumbing in a technical amendments rule published December 4, 2025 that made 162 conforming amendments, redirecting references to § 820.30 toward § 820.10(c) and references to §§ 820.180 and 820.198 toward § 820.35, "Control of records." There was no grace period beyond the two-year runway.

So the substance a tool like Jama supports, planning, inputs, outputs, review, verification, validation, transfer, change control, survives. The citation on your procedure documents does not. Any vendor deck still selling you "820.30 design controls" in the present tense is telling you how recently it was written.

The rest of the landscape needs the same care. DO-178C is a 2011 document, not 2012: FAA AC 20-115D cites it as "dated December 13, 2011," and calls itself "an acceptable means, but not the only means," not a regulation. IEC 62304's current edition is 1.1, "IEC 62304:2006+A1:2015," in force per the IEC webstore. ISO 26262 is paywalled, so I will not quote clause numbers, and I could not verify the common vendor claim that it mandates bidirectional traceability. Jama announced TÜV SÜD certification for ISO 26262 up to ASIL D and IEC 61508 up to SIL 3 in July 2016, and later added IEC 62304 and EN 50128, but no dated, currently valid certificate is public. Ask for one with an expiry date rather than accepting the present tense.

One more trap: do not assume Jama Connect is FedRAMP authorized. Jama's aerospace and defense page mentions the "FedRAMP High baseline" only while describing what AWS GovCloud regions enable, and says "ITAR Compliant" without naming an authorising body. Jama's own trust page, where such a status would live, never mentions FedRAMP at all. It claims SOC 2 Type 2 in application and data center, audited by KirkpatrickPrice and completed November 2022, plus TISAX Level 2. Running on GovCloud does not confer an authorisation.

Who owns it, and what you cannot know

Francisco Partners announced on March 18, 2024 a definitive agreement to acquire Jama Software for 1.2 billion dollars from shareholders including Insight Partners and Madrona Ventures, with CEO Marc Osofsky agreeing to "personally reinvest and continue to lead the company," per the buyer and per Jama. Insight is the seller, Francisco Partners the buyer, a distinction that trips up nearly everyone writing about this. Francisco Partners now lists Jama as a current investment, so the deal closed, but no source I could open states a closing date, and I am not going to invent one. The prior round was 200 million dollars in June 2018 led by Insight Venture Partners with Madrona Venture Group; Osofsky took over in January 2020 and is still in the seat.

The founding year, oddly, is not on the record at all. "2007" and founder Eric Winquist appear in aggregators and vendor-adjacent blogs, never in a primary source, and Jama's About page states no founding year, employee count or customer count. The hardest anchor is SEC EDGAR, holding an Oregon corporation named JAMA SOFTWARE INC, CIK 0001448131 with exactly two filings, both REGDEX paper filings from 2008 and 2009. That is the entire federal paper trail: never public, no financials.

Licences, price, and the API gate

Pricing is quote-only. Jama's pricing page publishes no dollar figures and no priced tiers, only four inclusions: "No charge for hosting," "No charge for reviewers," "No charge for file storage," "No charge for hosted sandbox." Any per-seat number on Vendr, G2, TrustRadius or Capterra is an estimate or a user report, not a Jama figure.

The licence types are Creator (full read and edit), Test Runner, Stakeholder (read-only, can comment and review), Reviewer (review participation only, no access to items in the core project), Temporary (30-day trial), and Collaborator, which the docs label explicitly as "a legacy license." Several third-party summaries present Collaborator as a current tier. It is not.

The gate that bites: REST API access "is limited to users with a Named Creator Jama Connect license." A Creator Float licence does not get it. If the plan is to pipe automated test results in or pull data out to a BI tool, that is a named-seat line item, and it belongs in the quote conversation before signature. Jama Connect Interchange is the separate integration platform, with five modules: Jira, Excel Functions, ReqIF, Datatap, and Model Context Protocol. Whether it is licensed separately, and at what price, the docs do not say.

On AI, keep the line clear. Jama Connect Advisor ships, and it "analyzes your product requirements against industry standards such as INCOSE Rules and EARS Notation, then recommends improvements." It is a paid add-on for cloud customers, arranged through a Customer Success Manager. Jama's AI page separately labels a set of features as "in the works," including Relationship Discovery, which would suggest missing traceability links automatically. That one is not shipping. Do not buy on it. Jama's claim that Advisor customers "are increasing test coverage by 5-10X, cutting testing time in half" has no published methodology and describes customers, not a specification. The AI data policy says Jama does not use customer-specific data to train general models and does not run customer data through publicly available LLMs. It names no model providers at all.

The ledger reading

Jama's homepage now calls the product an "AI-Native Engineering Management Platform" that "scales to 100 million items," a vendor claim nobody outside can check. Ignore the layer. The thing you are buying is a database of typed items and a rule engine that computes actual relationships over expected ones, plus four views on top of that number and a test model wired into it.

That engine is good. It is also inert until an admin configures it, silently grandfathers everything that predates the rules, and reports nothing wrong when nothing is defined. The tool cannot want traceability more than your organisation does. Every evaluation I would run starts in the same place: not the demo, but a whiteboard of your item types and the rules between them. If you cannot draw that, no licence fixes it, and if you can, you have already done the part that was hard.

Related reading

Fact-check notes and sources

  • The Trace Matrix is removed: I verified by direct HTTP request that the trace-matrix documentation path returns 404 on both help.jamasoftware.com and help2.jamasoftware.com, while Trace View, Coverage Explorer, Relationships and Impact Analysis return 200. The 8.76 deprecation, 8.78 disable-by-default, and the "over 20x" usage rationale come from the 9.13.x release notes, which is Cloudflare-gated; I could not open it directly and read it only through a search engine's rendition. The removal itself is independently proven by the 404s. Whether the feature is gone from the running product rather than merely undocumented, I cannot confirm.
  • Items, item types, relationships, coverage, relationship rules, orphan and suspect states, the status indicator colours, Trace Score arithmetic, the test model, baselines, and Live Trace Explorer GA status: Jama Connect Help, item-based product development, relationships, coverage and traceability, set up relationship rules, relationship status indicator, Trace Score, testing, baselines, Live Trace Explorer. The worked example is constructed from these pages; the item IDs are illustrative, not from any real project. Default relationship type names (related to, dependent on, derived from, validated by, verified by, mitigated by) are widely repeated but are not enumerated on Jama's own set the relationship types page, so I have not listed them as documented defaults.
  • QMSR effective February 2, 2026; Part 820 renamed; ISO 13485:2016 incorporated by reference; Subparts C through O removed and reserved, taking 820.30 with them: the Federal Register final rule text via GovInfo. The redirect of § 820.30 citations to § 820.10(c), and 162 conforming amendments: the technical amendments rule of December 4, 2025. eCFR and fda.gov both blocked retrieval, so nothing here is cited to them.
  • IEC 62304 edition 1.1, published 2015-06-26, in force, stability date 2028: the IEC webstore entry. The Class A/B/C classification is reported, not verified; the standard is paywalled. DO-178C dated December 13, 2011, and the AC's "acceptable means, but not the only means" language: FAA AC 20-115D, a PDF I downloaded and read. ISO 26262: the ISO catalogue returned 403 on every attempt and the standard is paywalled, so no clause-level claim here is verified.
  • TÜV SÜD certification announcements: July 25, 2016, GlobeNewswire for ISO 26262 up to ASIL D and IEC 61508 up to SIL 3, and a later Jama release adding IEC 62304 and EN 50128. No current dated certificate is public; present-tense certification is Jama's claim.
  • SOC 2 Type 2 (KirkpatrickPrice, completed November 2022), TISAX Level 2, AWS hosting, and the absence of any FedRAMP claim: Jama's trust page. The "FedRAMP High baseline" and "ITAR Compliant" language, in an AWS GovCloud context: Jama's aerospace and defense page. The FedRAMP Marketplace was not retrievable, so absence of authorisation is not formally proven, only unclaimed by Jama itself.
  • The 1.2 billion dollar deal announced March 18, 2024, Insight Partners and Madrona Ventures as sellers, Osofsky reinvesting: Francisco Partners and Jama. It was a definitive agreement subject to customary closing conditions; Francisco Partners lists Jama as a current investment with no date field, and no completion release was findable, so no closing date is asserted. The 200 million dollar round of June 26, 2018 under CEO Scott Roth: Jama. Osofsky's January 2020 appointment: the appointment release.
  • Founding year unverified: no primary source states 2007 or names a founder; Jama's About page omits founding year, employee count and customer count. The earliest primary evidence is SEC EDGAR for an Oregon corporation named JAMA SOFTWARE INC, CIK 0001448131, with two REGDEX filings dated 2008-10-14 and 2009-02-02. That record is matched on name, state and Portland address; it does not itself prove corporate continuity with today's company.
  • Quote-only pricing and the four inclusions: Jama's pricing page. Licence types including Temporary, and Collaborator as legacy: licence types and permissions. REST API limited to Named Creator: REST API and extensibility. Jama Connect Interchange and its five modules: JCI overview; separate licensing and cost are not documented anywhere public.
  • Jama Connect Advisor as a shipping paid add-on; Relationship Discovery and five other features listed as in development; the 5-10X coverage claim as a customer-outcome claim: Advisor docs and the AI solutions page. No model providers named: AI data policy, last updated May 12, 2025.
  • "Live Traceability™" as a marketing concept rather than a documented feature, and the 100 million items claim: Jama's Live Traceability page and the homepage. Scale, coverage and "only vendor" claims throughout Jama's marketing are unverifiable from outside and are attributed here rather than asserted.

This post is informational and describes a commercial product and public regulatory records from primary sources and the vendors' own published statements. It is not legal, regulatory, procurement, or engineering-compliance advice. I have no affiliation with Jama Software, Francisco Partners, or any other company or standards body named, and nothing here is endorsed by them. Product details, documentation, versions and regulations are current as of mid-2026 and change.

← Back to Blog

Accessibility Options

Text Size
High Contrast
Reduce Motion
Reading Guide
Link Highlighting
Accessibility Statement

J.A. Watte is committed to ensuring digital accessibility for people with disabilities. This site conforms to WCAG 2.1 and 2.2 Level AA guidelines.

Measures Taken

  • Semantic HTML with proper heading hierarchy
  • ARIA labels and roles for interactive components
  • Color contrast ratios meeting WCAG AA (4.5:1)
  • Full keyboard navigation support
  • Skip navigation link
  • Visible focus indicators (3:1 contrast)
  • 44px minimum touch/click targets
  • Dark/light theme with system preference detection
  • Responsive design for all devices
  • Reduced motion support (CSS + toggle)
  • Text size customization (14px–20px)
  • Print stylesheet

Feedback

Contact: jwatte.com/contact

Full Accessibility StatementPrivacy Policy

Last updated: April 2026