Custom Software for Manufacturing — ERP, Shop Floor, and Quote Configurators

Manufacturing combines three pressures that almost no other industry faces simultaneously. The existing systems of record are old, deeply embedded, and famously rigid. NetSuite, Acumatica, Epicor, IQMS, Plex, JobBOSS, ProShop, and Fishbowl each model the shop differently, expose different integration surfaces, and lock the business into their workflow opinions. Most US manufacturers running mid-volume contract work have a system that does 70% of the job correctly and forces the other 30% into Excel, paper travelers, and email — at the exact volume where that overhead starts to cost real production time.

The shop floor itself is a real, physical environment. Ethernet-connected machines on an OT network deliberately segregated from the IT side. Operators wearing gloves who need a tablet interface that responds to a knuckle tap. Paper travelers that still circulate because someone in the front office is comfortable with them. Barcode scanners that have been on the floor for fifteen years and need to keep working. Web-app design for office workers does not survive contact with this environment. We build with the assumption that the tooling will be used in a hot shop by tired people, and that the interface needs to be fast and durable.

The compliance perimeter is also intense. ITAR and EAR for defense and dual-use exports. CMMC Level 2 with 110 NIST 800-171 controls for defense subcontractors handling CUI. FDA Quality System Regulation (21 CFR Part 820) for medical-device manufacturers. IATF 16949 for automotive. AS9100 for aerospace. ISO 9001 across most of the rest. Compliance failures cost contracts, not just fines.

ITAR and EAR. Defense articles and technical data under ITAR (22 CFR 120-130) require US-person workforce on the data, US-only data residency, controlled access, and a documented technology control plan. EAR-controlled data (15 CFR 730-774) follows a parallel but slightly different model. We build environments that meet these requirements; we coordinate with your empowered official on TCP integration.

CMMC and NIST 800-171. The DoD CMMC program (Level 2 for most subcontractors handling CUI) requires 110 controls drawn from NIST SP 800-171. We map architectural decisions to each applicable control family: access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, system and communications protection, and system and information integrity.

FDA QSR / 21 CFR Part 820. Medical-device manufacturers need design controls, document control, CAPA, change control, and complete traceability through device history records. We build the digital surfaces (QMS modules, eDHR, ECN routing) that produce the evidence trail your FDA auditor expects.

IATF 16949, AS9100, ISO 9001. Industry-specific QMS standards have specific record retention, traceability, and process-evidence requirements. Our builds capture the evidence by default rather than as an afterthought.

21 CFR Part 11 (electronic records and signatures). For medical and pharma manufacturers, electronic records require validation, audit trails, controlled change to records, and binding electronic signatures. We integrate Part 11-aware e-signature workflows where the regulation applies.

OT/IT segmentation. Operational Technology networks running PLCs and CNC controllers must remain segmented from the IT side. We build gateways that bridge the data flow without putting web-facing services on the OT network. See network penetration testing for the assessment side.

Next.js 15 or 16 with React 19 and TypeScript for the web layer — office and customer-facing surfaces. For shop-floor tablet apps, the same stack runs as a PWA installed on inexpensive Android tablets with offline-capable form capture, optimistic writes, and background sync to the backend. Postgres on Neon, Supabase, or RDS for the system of record. Prisma or Drizzle as the ORM.

For ERP integration, a normalized internal adapter layer abstracts the carrier-specific quirks of NetSuite, Acumatica, Epicor, or IQMS behind a clean internal API. Each ERP target becomes a new adapter rather than a rewrite. For machine data, a small Linux gateway (Raspberry Pi 5 or an industrial fanless box) running Node-RED or a custom Rust service pulls OPC UA, Modbus, or MTConnect data; the gateway publishes through a controlled DMZ into an MQTT broker or Kafka topic on the IT side, where it feeds analytics and ERP integration. For CUI or ITAR workloads, deployment shifts to AWS GovCloud or Azure Government with US-citizen-only engineering access and KMS-managed envelope encryption.

Three patterns recur. First, the team tries to replace the ERP. Almost always the wrong move — the ERP is good at receivables, inventory, and the GL, and ripping it out at the same time as a new shop-floor system creates an unbearable transition. The right scope is to keep the ERP and build the shop-floor and customer-facing surfaces that the ERP is poor at.

Second, machine data gets pulled into the web app directly. A web service connects to an OPC UA endpoint on the OT network and now web-facing infrastructure sits inside what was supposed to be a segregated environment. The right pattern is a small dedicated gateway on the OT side publishing into a buffered, controlled message channel that the IT side consumes. Build that segmentation in. The cost is small; the risk reduction is large.

Third, ITAR and CMMC requirements get treated as a paperwork problem. A defense subcontractor signs the contract, plans to handle the compliance after launch, and discovers six months later that the architecture cannot retrofit US-only data residency or US-citizen access controls. The fix is a rebuild. Build the controls in at architecture time, not as a phase-two upgrade.