Lifecycle assessment sets the timing, not the failure
An obsolescence and lifecycle review tells you how exposed each system is before a card failure forces an unplanned outage. Planning early keeps the shutdown window under the site's control.

An obsolescence and lifecycle review tells you how exposed each system is before a card failure forces an unplanned outage. Planning early keeps the shutdown window under the site's control.
Splitting the work by area or line keeps production running, spreads the capital spend, and lets each stage carry the lessons of the one before it. Big-bang is reserved for tightly coupled systems or a planned major shutdown.
Tag naming, historian records, alarm philosophy, and the governing electrical and safety standards all have to survive the upgrade. Treat continuity as a design input rather than something to reconcile after cutover.
Planning an automation upgrade on a live Australian plant is a different exercise from a new build. The existing controls keep production running, the available shutdown windows are short, and any change has to fit around equipment that may no longer match its drawings. The goal of planning is to modernise the control system without introducing new risk and without surrendering the choice of when the line goes down. Most upgrades begin not because the site wants new features, but because the existing platform is becoming harder to maintain: spares are harder to source, the programming software runs on one ageing PC, and a single card failure would turn a routine repair into a multi-day recovery.
This guide covers lifecycle assessment, risk ranking, the phased versus big-bang decision, brownfield constraints, and spares and standards continuity. For delivery support, Metromotion Controls covers this work through automation upgrades and PLC, SCADA and HMI programming, on sites ranging from packaging lines to building products plants.
The first question is not what to buy but how exposed the plant already is. A lifecycle assessment maps every significant control asset against its manufacturer lifecycle status and the practical consequence of its failure. Most major vendors publish a lifecycle classification for their products. Rockwell Automation, for example, classifies every catalogue number as Active, Active Mature, End of Life or Discontinued, and frames modernisation around that status, encouraging sites to plan a migration while a platform is still serviceable rather than after it is retired (Rockwell Automation, modernisation).
For each asset, record three things:
The output is a ranked picture of risk. A controller that is still supported with healthy spares and a low failure consequence can wait. A discontinued processor whose only spare is the card already running in the rack has crossed into planning territory, regardless of how reliably it has run so far.
A lifecycle assessment tells you what is exposed; an asset audit tells you what is actually installed. The two are different, because the field rarely matches the records. The audit is a systematic walk-down of control hardware, field devices, electrical infrastructure, networks and documentation, and it underpins everything that follows.
A useful audit captures:
The most common source of cost overrun on a brownfield upgrade is hidden complexity discovered during installation rather than during design. Undocumented serial links to packaged equipment, hand-modified ladder logic, and P&IDs that no longer reflect the field are the usual culprits. A thorough audit, often supported by systems integration discovery work, is the most effective way to bring that risk forward into the design phase where it is cheaper to resolve.
Once the plant is mapped, the risk assessment turns it into a priority order. It is worth separating risk into three views, because they rank the same equipment differently.
| Risk view | What it asks | What it ranks first |
|---|---|---|
| Production continuity | What happens to output if this fails? | Bottleneck lines, single points of failure, long-recovery assets |
| Safety | Does this system carry a safety function? | Interlocks, guarding, emergency stop and trip systems |
| Data and compliance | Does this hold records or traceability we must keep? | Historians, batch records, alarm logs, regulatory data |
Where a system carries a safety function, the upgrade falls under the functional safety lifecycle: IEC 61508 generally and IEC 61511 in the process sector, both of which treat modification of a safety system as a lifecycle event to be assessed rather than a like-for-like swap. The required safety integrity level should be established before design choices are locked in. Metromotion Controls handles this scope through functional safety work, covered further in our guide to SIL assessment in Australia.
The risk assessment is what justifies the staging order later. A line that is both a production bottleneck and running discontinued hardware ranks above a well-supported line with spare capacity, even if both are technically due for modernisation.
The central planning decision on a live plant is how to cut over. The two ends of the spectrum are a phased migration, where the plant is upgraded section by section, and a big-bang cutover, where the whole system changes in one outage.
| Approach | When it suits | Main risk |
|---|---|---|
| Phased | Most live brownfield plants with ongoing production | Higher total engineering hours; needs interfaces for old and new to coexist |
| Big-bang | Tightly interlocked systems, or an existing major planned shutdown | All risk concentrated in one cutover event; rollback is costly |
A phased approach divides the upgrade into logical sections by area, line or system. Each stage has its own design, factory acceptance test, cutover and handback, and the unaffected areas keep running on the existing controls throughout. The trade-off is that the site temporarily carries two platforms, and the design has to provide a clean interface between them, often a gateway or mapped data exchange that passes interlocks and status across the boundary during the transition.
A big-bang cutover avoids the cost of running two platforms in parallel, but it concentrates all the risk in a single event with an expensive rollback. It is the right choice when the plant cannot be split cleanly, for example a continuous process with interlocks that span the whole line, or when the site already has a long planned shutdown that can absorb the work. For most discrete and batch plants, phased migration is the lower-risk default, the usual recommendation for live sites in our legacy PLC migration guide.
The following sequence is illustrative. The numbers are typical engineering planning figures used to show how a phased upgrade is staged, not a result from any specific project. Consider an ageing packaging and filling line running a discontinued processor with mixed legacy I/O, a single ageing operator HMI, and a serial link to a packaged labeller.
Stage 0, discovery and design (allow 4 to 6 weeks). Complete the audit, confirm the I/O count, document the serial link to the labeller, recover or rebuild the P&ID and I/O lists, and fix the target platform and tag naming standard. Define the staging order from the risk assessment.
Stage 1, network and visualisation (no production outage). Stand up the new control network and a new SCADA or HMI alongside the existing system, reading from the legacy controller through a gateway. This delivers improved visibility and a historian early, proves the network, and gives operators time on the new interface before any controller changes. A typical allowance here is 3 to 5 days of on-site work spread across normal running.
Stage 2, controller migration on a planned shutdown (one weekend window). With the converted program already proven against simulated I/O in factory acceptance testing, swap the processor and migrate the I/O during a single planned outage. A wiring conversion approach keeps field re-termination short. Verify I/O point by point, run the site acceptance test, and sequence the restart deliberately to avoid pressure surges on transfer lines.
Stage 3, packaged equipment and data continuity (no production outage). Re-point the labeller interface to the new controller, confirm the historian and batch records are flowing into the new system, and decommission the legacy HMI once operators are confident on the new one.
The value of this shape is that the riskiest single event, the controller swap, is isolated to one short window, fully rehearsed, and surrounded by stages that carry no production outage at all. Each stage delivers standalone value, which also makes the spend easier to approve in increments.
A live site imposes constraints that a greenfield design never faces, and they shape the plan more than the technology choice does.
Shutdown windows. The available outage time is usually fixed by production, not by the project. Planning works backward from the window: what can be proven off-line beforehand, what must happen during the outage, and what can be completed afterward with the line running.
Documentation condition. The cleaner the input documentation, the faster and cheaper the upgrade. Current electrical drawings, PLC program backups with version history, I/O lists that match the field, and a written record of known faults are the ideal inputs. Sites that cannot provide these should budget time at the start of the project to recover them; that recovery is real work.
Spares through the transition. During a phased upgrade the site temporarily holds two platforms, so the spares plan has to cover the legacy hardware still in service and the new standard at the same time, with a defined retirement date for the old holdings. The longer-term aim is standardisation: when every line runs the same controller family, I/O range and drive platform, the shared spares pool shrinks and the depth of in-house knowledge grows, which is worth letting influence the platform choice from the start.
Support arrangements. Settle who holds the program backups, who can attend a breakdown, and what the recovery path is before the first cutover. Post-start support should be locked in before the outage begins, not arranged after a problem appears. Metromotion Controls provides this cover through ongoing support once a line is migrated.
An upgrade that loses the plant's accumulated records or breaks its conventions creates a different kind of cost. Continuity has to be designed in.
On the data side, the items to carry forward are the historian record, batch and production reports, alarm history, and any traceability data the site is obliged to keep. A worthwhile pattern is to stand up the new historian early, as in Stage 1 of the worked example, so a continuous record exists across the cutover rather than a gap. Tag naming and alarm philosophy should be standardised as part of the design, because a consistent tag standard is what lets later stages and future lines integrate cleanly. The principle of a structured, prioritised alarm system is set out in the alarm management standard ISA-18.2 (ISA, standards), and an upgrade is the natural point to bring an older, flat alarm scheme into line with it.
On the standards side, the electrical installation work follows AS/NZS 3000, the Wiring Rules (Standards Australia), and any control panel built or modified during the upgrade falls under AS/NZS 61439, the standard for the control panel engineering scope. Where the network is being rebuilt, the upgrade is also the right time to bring the OT network onto a current, segmented design rather than carrying forward a flat legacy topology.
A few pitfalls recur often enough to be worth naming directly.
Automation upgrades in Australia sit inside a clear regulatory framework, and the relevant parts have to be confirmed during discovery rather than at the outage.
The safety of the work itself is governed by the model Work Health and Safety laws. Safe Work Australia's guidance on managing the risks of plant covers isolation and energy control during maintenance and modification, including lockout and tagout of electrical, pneumatic, hydraulic and stored energy before anyone works on the equipment, and energy isolation should be planned into the cutover sequence as a designed step.
For acceptance testing, IEC 62381 provides a common framework for how factory acceptance, site acceptance and site integration tests are structured and recorded (IEC 62381), which keeps test scope, pass criteria and sign-off consistent when several parties share responsibility for a cutover. For manufacturers in sectors such as food and beverage and dairy, hygiene and traceability obligations sit on top of this framework, another reason data continuity has to be planned rather than reconciled afterward.
A sound upgrade plan starts from a lifecycle assessment, is grounded in a real audit rather than the drawings, and is staged in an order that the risk assessment justifies. For most live Australian plants a phased cutover keeps production running while spreading both the risk and the capital spend, with the riskiest single event isolated to a short, well-rehearsed window. Spares, support, data, and standards continuity are design inputs from the start, not loose ends to tidy after handback. Planned with enough lead time, an upgrade keeps the shutdown window, and the risk, under the site's control rather than a failure's.
Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.
Modernise legacy PLC, SCADA, HMI and control infrastructure with staged cutover planning.
PLC programming, troubleshooting, commissioning and legacy migration across Rockwell, Siemens and mixed sites.
Engineering support for production faults, diagnostics, minor works and long-term controls reliability.
Automation, traceability, CIP, SCADA and production data for Australian food and beverage plants.
Planning an upgrade without losing production on a live Australian manufacturing site.

Practitioner guide to scoping industrial automation for Melbourne manufacturers: control stack scope, greenfield versus brownfield, and choosing an integrator.
Key point
Scope from the operating constraint
Published 8 Apr 2026

How CIP automation cuts trade waste and chemical cost with endpoint-driven phases, protects chemical tanks, verifies coverage and records audit evidence.
Key point
Endpoint-driven phases cut cost without weakening the clean
Published 9 May 2026

Practical guide to food and beverage automation in Australia: ISA-88 batch control, CIP, pasteurisation, hygienic design, traceability and OEE.
Key point
Process and packaging automation are different problems
Published 13 Apr 2026
Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.