AI can build a database in 60 seconds. Changing a list in a regulated MES takes an hour.

This is the productivity inversion I live in every day.

I work in quality management software. With AI and MCP servers wired up, I can spin up a Postgres database, define a schema, generate seed data, write integration tests, and deploy a working API to a public URL in under five minutes. I've done this on weekends for fun.

The same week, in my day job, changing a single value in a list inside our regulated Manufacturing Execution System takes well over an hour. The change itself takes 90 seconds. The other 58 minutes are validation and documentation.

That gap is going to break something.

What "an hour" actually buys

When I say a list change takes an hour, here's what that hour holds.

A change request gets opened in the QMS. The requester documents what's changing, why, the affected work centers and the impact assessment. A Quality Engineer reviews the change for risk class. A Validation Engineer drafts the test approach. The change goes through change control board approval, even if the CCB has nothing material to discuss for a 90-second list edit.

The change gets staged in a non-production environment. A test protocol gets executed. Screenshots get captured. Pass/fail is recorded. The Validation Engineer writes a summary report. Signatures are collected. The change moves to production. A post-deployment verification confirms the value displays correctly.

The change is filed in the Design History File. The audit trail records who, when, what value before, what value after, and the approval chain.

That's the hour. The list edit is the cheapest moment in it.

I'm not arguing this is wrong. The MES runs the manufacturing process for medical devices. A wrong value in the wrong list can lead to a wrong material in a wrong product in a patient's body. The audit trail and the validation aren't bureaucracy. They're the reason a 483 observation isn't a recall.

What "60 seconds" looks like on the build side

The other half of my week looks completely different. I'll describe a real Saturday from last month.

I had an idea for a side product. With Claude Code and a Supabase MCP server, I asked for a Postgres project provisioned, with auth tables, an API key model, a billing schema, RLS policies, and a Postgres function for atomic credit deduction. I described what I wanted in plain English. The MCP created the project, applied the migrations, returned the keys.

Eight minutes later I had a working API endpoint deployed on Vercel, hitting that database, returning structured JSON. By the end of the day the API was live on a custom domain, accepting Stripe payments, with a self-serve signup flow.

Total elapsed time from idea to a real, payable product: about six hours. The actual coding was maybe 90 minutes. The rest was reading, testing, fixing the things that broke.

If I'd built that with a team in 2019 it would have been a quarter of work. Six engineers, project management, infrastructure setup, a security review. Real money. Real time.

The asymmetry between those two weeks is what I keep thinking about.

The risk side is also incredible

The cynical read is that the validation framework is slow and AI is fast, so we should make validation faster. I don't think that's the right read.

AI-generated code introduces failure modes that don't exist in human code. A unit conversion off by a factor of ten that looks completely plausible. A hallucinated API call that the model confidently invokes. A pattern matched against training data that contains a known security flaw. A test that passes for the wrong reason.

I've seen all four of these in code I've reviewed. None of them looked wrong on first read.

In a non-regulated context the worst case is a bug. You patch it, you move on. In a regulated MES context the worst case is a wrong material reaching a patient. The validation overhead exists because that worst case is unacceptable, not because the team likes paperwork.

So the risk profile of AI-generated code isn't symmetric with the productivity gain. The gain is a 30x reduction in build time. The risk is a multiplicative increase in plausible-but-wrong defects. Those don't cancel out.

Where the gap actually hurts

The productivity inversion plays out in two places.

Engineers stop pushing improvements. If a 90-second list change costs an hour, and a 90-minute feature change costs a week, engineers route around the regulated path. They build shadow tools. They keep spreadsheets that should be in the MES. They make manual workarounds rather than going through change control. Everyone knows this happens. The audit framework can't see it.

The validation team falls further behind. The build side gets faster. The validation side stays the same. Backlog grows. Validation Engineers spend their week catching up on changes from two weeks ago. Quality Engineers spend their week writing protocols for changes the engineers have already moved past.

The MES still works. The DHF still gets filed. But the gap between "what the engineers are actually doing" and "what the validation record shows" widens every quarter.

What I think is actually needed

Validation can't get less rigorous. The standards exist for the right reasons. The Quality Engineer auditing the audit trail is the same person whose name goes on the 483 if a recall happens. They're not going to relax the framework, and I wouldn't want them to.

What can get faster is the documentation generation around the rigor. The rule check for whether a change includes the required artifacts is mechanical. The first draft of a CSA-style validation rationale is mechanical. The attestation hash is mechanical. The trace matrix update is mechanical.

The Quality Engineer's judgment isn't mechanical and shouldn't be automated. Their writing time is. There's an honest hour of QE thinking in a complex change. There isn't an honest hour of QE thinking in a list edit. Right now we charge both at the same rate.

I think the framework that comes out the other side of this is one where AI handles the structural and procedural artifacts, and the Quality Engineer reviews and signs the substance. The framework's rigor stays the same. The clock time drops by a lot.

That's the bet behind this product. It's also the bet I'd make about regulated software in general for the next decade. The build side isn't slowing down. The validation side has to find a way to keep up that doesn't compromise what makes it valuable.

In the meantime I keep doing both jobs. One where AI builds in minutes and one where a list change still takes an hour. The contrast is funny once a week and frustrating the other six.

VibeVal automates the structural validation and rationale-writing parts of an IEC 62304 software change. Submit a code diff and a risk class, get a verdict, a CSA-aligned rationale and a SHA-256 attestation hash for the DHF in seconds. The Quality Engineer still owns the judgment. Pay per check.

Ship validated changes faster.
Submit a code diff, get a CSA-aligned compliance verdict in seconds. Pay per check.
Get started

← All articles