Skip to content
Planning an Automation Upgrade for an Australian Manufacturing Site engineering guide from Metromotion Controls
Engineering Guides · MAY 2026 · Updated JUNE 2026 · 12 min read

Planning an Automation Upgrade for an Australian Manufacturing Site

Key points

Key points
1

Lifecycle assessment sets the timing, not the failure

An obsolescence and lifecycle review tells you how exposed each system is before a card failure forces an unplanned outage. Planning early keeps the shutdown window under the site's control.

2

Phased cutover suits most live brownfield plants

Splitting the work by area or line keeps production running, spreads the capital spend, and lets each stage carry the lessons of the one before it. Big-bang is reserved for tightly coupled systems or a planned major shutdown.

3

Continuity of data and standards is part of the scope

Tag naming, historian records, alarm philosophy, and the governing electrical and safety standards all have to survive the upgrade. Treat continuity as a design input rather than something to reconcile after cutover.

Planning an automation upgrade on a live Australian plant is a different exercise from a new build. The existing controls keep production running, the available shutdown windows are short, and any change has to fit around equipment that may no longer match its drawings. The goal of planning is to modernise the control system without introducing new risk and without surrendering the choice of when the line goes down. Most upgrades begin not because the site wants new features, but because the existing platform is becoming harder to maintain: spares are harder to source, the programming software runs on one ageing PC, and a single card failure would turn a routine repair into a multi-day recovery.

This guide covers lifecycle assessment, risk ranking, the phased versus big-bang decision, brownfield constraints, and spares and standards continuity. For delivery support, Metromotion Controls covers this work through automation upgrades and PLC, SCADA and HMI programming, on sites ranging from packaging lines to building products plants.

Start with an obsolescence and lifecycle assessment

The first question is not what to buy but how exposed the plant already is. A lifecycle assessment maps every significant control asset against its manufacturer lifecycle status and the practical consequence of its failure. Most major vendors publish a lifecycle classification for their products. Rockwell Automation, for example, classifies every catalogue number as Active, Active Mature, End of Life or Discontinued, and frames modernisation around that status, encouraging sites to plan a migration while a platform is still serviceable rather than after it is retired (Rockwell Automation, modernisation).

For each asset, record three things:

  • Lifecycle status. Where the controller, I/O, drives, HMIs, and networks sit in the vendor lifecycle, and the published or expected end-of-support date.
  • Spares reality. Whether a failed unit can be sourced from the vendor, from authorised channels, or only from the grey market and refurbishment trade where pricing and reliability are unpredictable.
  • Failure consequence. What a single failure does to production, and how long recovery realistically takes given current spares and knowledge.

The output is a ranked picture of risk. A controller that is still supported with healthy spares and a low failure consequence can wait. A discontinued processor whose only spare is the card already running in the rack has crossed into planning territory, regardless of how reliably it has run so far.

Audit the existing plant before scoping

A lifecycle assessment tells you what is exposed; an asset audit tells you what is actually installed. The two are different, because the field rarely matches the records. The audit is a systematic walk-down of control hardware, field devices, electrical infrastructure, networks and documentation, and it underpins everything that follows.

A useful audit captures:

  • What exists. PLC models and firmware versions, I/O counts and types, network topology, panel condition, drive platforms, and the age and type of field instruments.
  • What is at risk. End-of-life hardware, obsolete communications such as legacy serial or proprietary networks, undocumented modifications, and devices that no longer match the drawings.
  • What the plant needs. Known operational faults, missing functionality, the daily workarounds the shift team lives with, and any regulatory or safety obligation the current system does not meet.

The most common source of cost overrun on a brownfield upgrade is hidden complexity discovered during installation rather than during design. Undocumented serial links to packaged equipment, hand-modified ladder logic, and P&IDs that no longer reflect the field are the usual culprits. A thorough audit, often supported by systems integration discovery work, is the most effective way to bring that risk forward into the design phase where it is cheaper to resolve.

Risk assessment across production, safety, and data

Once the plant is mapped, the risk assessment turns it into a priority order. It is worth separating risk into three views, because they rank the same equipment differently.

Risk viewWhat it asksWhat it ranks first
Production continuityWhat happens to output if this fails?Bottleneck lines, single points of failure, long-recovery assets
SafetyDoes this system carry a safety function?Interlocks, guarding, emergency stop and trip systems
Data and complianceDoes this hold records or traceability we must keep?Historians, batch records, alarm logs, regulatory data

Where a system carries a safety function, the upgrade falls under the functional safety lifecycle: IEC 61508 generally and IEC 61511 in the process sector, both of which treat modification of a safety system as a lifecycle event to be assessed rather than a like-for-like swap. The required safety integrity level should be established before design choices are locked in. Metromotion Controls handles this scope through functional safety work, covered further in our guide to SIL assessment in Australia.

The risk assessment is what justifies the staging order later. A line that is both a production bottleneck and running discontinued hardware ranks above a well-supported line with spare capacity, even if both are technically due for modernisation.

Phased versus big-bang cutover

The central planning decision on a live plant is how to cut over. The two ends of the spectrum are a phased migration, where the plant is upgraded section by section, and a big-bang cutover, where the whole system changes in one outage.

ApproachWhen it suitsMain risk
PhasedMost live brownfield plants with ongoing productionHigher total engineering hours; needs interfaces for old and new to coexist
Big-bangTightly interlocked systems, or an existing major planned shutdownAll risk concentrated in one cutover event; rollback is costly

A phased approach divides the upgrade into logical sections by area, line or system. Each stage has its own design, factory acceptance test, cutover and handback, and the unaffected areas keep running on the existing controls throughout. The trade-off is that the site temporarily carries two platforms, and the design has to provide a clean interface between them, often a gateway or mapped data exchange that passes interlocks and status across the boundary during the transition.

A big-bang cutover avoids the cost of running two platforms in parallel, but it concentrates all the risk in a single event with an expensive rollback. It is the right choice when the plant cannot be split cleanly, for example a continuous process with interlocks that span the whole line, or when the site already has a long planned shutdown that can absorb the work. For most discrete and batch plants, phased migration is the lower-risk default, the usual recommendation for live sites in our legacy PLC migration guide.

A worked example: phasing an ageing line

The following sequence is illustrative. The numbers are typical engineering planning figures used to show how a phased upgrade is staged, not a result from any specific project. Consider an ageing packaging and filling line running a discontinued processor with mixed legacy I/O, a single ageing operator HMI, and a serial link to a packaged labeller.

Stage 0, discovery and design (allow 4 to 6 weeks). Complete the audit, confirm the I/O count, document the serial link to the labeller, recover or rebuild the P&ID and I/O lists, and fix the target platform and tag naming standard. Define the staging order from the risk assessment.

Stage 1, network and visualisation (no production outage). Stand up the new control network and a new SCADA or HMI alongside the existing system, reading from the legacy controller through a gateway. This delivers improved visibility and a historian early, proves the network, and gives operators time on the new interface before any controller changes. A typical allowance here is 3 to 5 days of on-site work spread across normal running.

Stage 2, controller migration on a planned shutdown (one weekend window). With the converted program already proven against simulated I/O in factory acceptance testing, swap the processor and migrate the I/O during a single planned outage. A wiring conversion approach keeps field re-termination short. Verify I/O point by point, run the site acceptance test, and sequence the restart deliberately to avoid pressure surges on transfer lines.

Stage 3, packaged equipment and data continuity (no production outage). Re-point the labeller interface to the new controller, confirm the historian and batch records are flowing into the new system, and decommission the legacy HMI once operators are confident on the new one.

The value of this shape is that the riskiest single event, the controller swap, is isolated to one short window, fully rehearsed, and surrounded by stages that carry no production outage at all. Each stage delivers standalone value, which also makes the spend easier to approve in increments.

Brownfield constraints, spares, and support continuity

A live site imposes constraints that a greenfield design never faces, and they shape the plan more than the technology choice does.

Shutdown windows. The available outage time is usually fixed by production, not by the project. Planning works backward from the window: what can be proven off-line beforehand, what must happen during the outage, and what can be completed afterward with the line running.

Documentation condition. The cleaner the input documentation, the faster and cheaper the upgrade. Current electrical drawings, PLC program backups with version history, I/O lists that match the field, and a written record of known faults are the ideal inputs. Sites that cannot provide these should budget time at the start of the project to recover them; that recovery is real work.

Spares through the transition. During a phased upgrade the site temporarily holds two platforms, so the spares plan has to cover the legacy hardware still in service and the new standard at the same time, with a defined retirement date for the old holdings. The longer-term aim is standardisation: when every line runs the same controller family, I/O range and drive platform, the shared spares pool shrinks and the depth of in-house knowledge grows, which is worth letting influence the platform choice from the start.

Support arrangements. Settle who holds the program backups, who can attend a breakdown, and what the recovery path is before the first cutover. Post-start support should be locked in before the outage begins, not arranged after a problem appears. Metromotion Controls provides this cover through ongoing support once a line is migrated.

Data and standards continuity

An upgrade that loses the plant's accumulated records or breaks its conventions creates a different kind of cost. Continuity has to be designed in.

On the data side, the items to carry forward are the historian record, batch and production reports, alarm history, and any traceability data the site is obliged to keep. A worthwhile pattern is to stand up the new historian early, as in Stage 1 of the worked example, so a continuous record exists across the cutover rather than a gap. Tag naming and alarm philosophy should be standardised as part of the design, because a consistent tag standard is what lets later stages and future lines integrate cleanly. The principle of a structured, prioritised alarm system is set out in the alarm management standard ISA-18.2 (ISA, standards), and an upgrade is the natural point to bring an older, flat alarm scheme into line with it.

On the standards side, the electrical installation work follows AS/NZS 3000, the Wiring Rules (Standards Australia), and any control panel built or modified during the upgrade falls under AS/NZS 61439, the standard for the control panel engineering scope. Where the network is being rebuilt, the upgrade is also the right time to bring the OT network onto a current, segmented design rather than carrying forward a flat legacy topology.

Common mistakes to avoid

A few pitfalls recur often enough to be worth naming directly.

  • Scoping from the drawings instead of the field. Trusting as-built documentation that has not been verified on site is the most common root cause of overrun.
  • Underestimating code conversion. An automated converter produces a faithful structural starting point, not a finished program. Analogue scaling, block-transfer handling, timing assumptions, and indirect addressing all need manual review before the converted code is trustworthy on a live line.
  • Treating the restart as an electrical event. Re-energising pumps, valves and drives in the wrong order causes pressure surges and water hammer that damage pipework and instruments. The restart sequence is engineering, not a step left to whoever is on shift, a point covered in our note on pump control and water hammer.
  • Ignoring the packaged equipment. Third-party skids, labellers and OEM units with their own controllers and serial links are routinely missed in discovery and found during the outage. They belong in the audit and the factory acceptance test scope.
  • No rollback per stage. A cutover without defined go/no-go gates and a written rollback at each one leaves the line able to reach an undefined state. Every stage should have a known position to return to and a clear point of no return once legacy hardware is removed.

The Australian context

Automation upgrades in Australia sit inside a clear regulatory framework, and the relevant parts have to be confirmed during discovery rather than at the outage.

The safety of the work itself is governed by the model Work Health and Safety laws. Safe Work Australia's guidance on managing the risks of plant covers isolation and energy control during maintenance and modification, including lockout and tagout of electrical, pneumatic, hydraulic and stored energy before anyone works on the equipment, and energy isolation should be planned into the cutover sequence as a designed step.

For acceptance testing, IEC 62381 provides a common framework for how factory acceptance, site acceptance and site integration tests are structured and recorded (IEC 62381), which keeps test scope, pass criteria and sign-off consistent when several parties share responsibility for a cutover. For manufacturers in sectors such as food and beverage and dairy, hygiene and traceability obligations sit on top of this framework, another reason data continuity has to be planned rather than reconciled afterward.

Bringing the plan together

A sound upgrade plan starts from a lifecycle assessment, is grounded in a real audit rather than the drawings, and is staged in an order that the risk assessment justifies. For most live Australian plants a phased cutover keeps production running while spreading both the risk and the capital spend, with the riskiest single event isolated to a short, well-rehearsed window. Spares, support, data, and standards continuity are design inputs from the start, not loose ends to tidy after handback. Planned with enough lead time, an upgrade keeps the shutdown window, and the risk, under the site's control rather than a failure's.

References

About the author

Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.

Share:LinkedInX
Next step

Planning work in Engineering Guides?

Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.