Skip to content
Engineering Guides · MAY 2026 · Updated JUNE 2026 · 11 min read

Planning an Automation Upgrade for an Australian Manufacturing Site

Key points

Key points
1

Lifecycle assessment sets the timing, not the failure

An obsolescence and lifecycle review tells you how exposed each system is before a card failure forces an unplanned outage. Planning early keeps the shutdown window under the site's control.

2

Phased cutover suits most live brownfield plants

Splitting the work by area or line keeps production running, spreads the capital spend, and lets each stage carry the lessons of the one before it. Big-bang is reserved for tightly coupled systems or a planned major shutdown.

3

Continuity of data and standards is part of the scope

Tag naming, historian records, alarm philosophy, and the governing electrical and safety standards all have to survive the upgrade. Treat continuity as a design input rather than something to reconcile after cutover.

Planning an automation upgrade on a live Australian plant is a different exercise from a new build. The existing controls keep production running, the available shutdown windows are short, and any change has to fit around equipment that may no longer match its drawings. The goal of planning is to modernise the control system without introducing new risk and without surrendering the choice of when the line goes down. Most upgrades begin not because the site wants new features, but because the supportability of the existing platform is thinning out: spares are harder to source, the programming software runs on one ageing PC, and a single card failure would turn a routine repair into a multi-day recovery.

This guide sets out how to assess obsolescence and lifecycle exposure, rank the risk, choose between a phased and a big-bang approach, work within brownfield constraints, hold spares and standards continuity together, and stage the work so it can be justified and approved. For delivery support, Metromotion Controls covers this work through automation upgrades and PLC, SCADA and HMI programming.

Start with an obsolescence and lifecycle assessment

The first question is not what to buy but how exposed the plant already is. A lifecycle assessment maps every significant control asset against its manufacturer lifecycle status and the practical consequence of its failure. Most major vendors publish a lifecycle classification for their products, typically running through active, mature or classic, end of life, and discontinued. Rockwell Automation, for example, frames modernisation around exactly this status, encouraging sites to plan a migration while a platform is still serviceable rather than after it is retired (Rockwell Automation, modernisation).

For each asset, record three things:

  • Lifecycle status. Where the controller, I/O, drives, HMIs, and networks sit in the vendor lifecycle, and the published or expected end-of-support date.
  • Spares reality. Whether a failed unit can be sourced from the vendor, from authorised channels, or only from the grey market and refurbishment trade where pricing and reliability are unpredictable.
  • Failure consequence. What a single failure does to production, and how long recovery realistically takes given current spares and knowledge.

The output is a ranked picture of risk. A controller that is still supported with healthy spares and a low failure consequence can wait. A discontinued processor whose only spare is the card already running in the rack has crossed into planning territory, regardless of how reliably it has run so far. The point of assessing lifecycle early is that support risk arrives years before the hardware stops working, and that gap is the window in which the site can still control the shutdown.

Audit the existing plant before scoping

A lifecycle assessment tells you what is exposed; an asset audit tells you what is actually installed. The two are different, because the field rarely matches the records. The audit is a systematic walk-down of control hardware, field devices, electrical infrastructure, networks, and documentation, and it underpins everything that follows. Scoping an upgrade without a real audit means scoping against assumptions, and assumptions are where brownfield projects overrun.

A useful audit captures:

  • What exists. PLC models and firmware versions, I/O counts and types, network topology, panel condition, drive platforms, and the age and type of field instruments.
  • What is at risk. End-of-life hardware, obsolete communications such as legacy serial or proprietary networks, undocumented modifications, and devices that no longer match the drawings.
  • What the plant needs. Known operational faults, missing functionality, the daily workarounds the shift team lives with, and any regulatory or safety obligation the current system does not meet.

The most common source of cost overrun on a brownfield upgrade is hidden complexity discovered during installation rather than during design. Undocumented serial links to packaged equipment, hand-modified ladder logic, and P&IDs that no longer reflect the field are the usual culprits. A thorough audit, often supported by systems integration discovery work, is the most effective way to bring that risk forward into the design phase where it is cheaper to resolve.

Risk assessment across production, safety, and data

Once the plant is mapped, the risk assessment turns it into a priority order. It is worth separating risk into three views, because they rank the same equipment differently.

Risk viewWhat it asksWhat it ranks first
Production continuityWhat happens to output if this fails?Bottleneck lines, single points of failure, long-recovery assets
SafetyDoes this system carry a safety function?Interlocks, guarding, emergency stop and trip systems
Data and complianceDoes this hold records or traceability we must keep?Historians, batch records, alarm logs, regulatory data

Where a system carries a safety function, the upgrade falls under the functional safety lifecycle, and the assessment should establish the required safety integrity level before any design choices are locked in. The relevant standards are IEC 61508 for the general functional safety lifecycle and IEC 61511 for the process sector, and both treat modification of a safety system as a lifecycle event that has to be assessed rather than a like-for-like swap. Metromotion Controls handles this scope through functional safety work, and the detail is covered further in our guide to SIL assessment in Australia.

The risk assessment is what justifies the staging order later. A line that is both a production bottleneck and running discontinued hardware ranks above a well-supported line with spare capacity, even if both are technically due for modernisation.

Phased versus big-bang cutover

The central planning decision on a live plant is how to cut over. The two ends of the spectrum are a phased migration, where the plant is upgraded section by section, and a big-bang cutover, where the whole system changes in one outage.

ApproachWhen it suitsMain risk
PhasedMost live brownfield plants with ongoing productionHigher total engineering hours; needs interfaces for old and new to coexist
Big-bangTightly interlocked systems, or an existing major planned shutdownAll risk concentrated in one cutover event; rollback is costly

A phased approach divides the upgrade into logical sections by area, line, or system. Each stage has its own design, factory acceptance test, cutover, and handback, and the unaffected areas keep running on the existing controls throughout. The trade-off is that the site temporarily carries two platforms, and the design has to provide a clean interface between them, often a gateway or a mapped data exchange so the new and legacy systems can pass interlocks and status across the boundary during the transition.

A big-bang cutover avoids the cost and complexity of running two platforms in parallel, but it concentrates all the risk in a single event with an expensive rollback. It is the right choice when the plant cannot be split cleanly, for example a continuous process with interlocks that span the whole line, or when the site already has a long planned shutdown such as an annual maintenance window that can absorb the work. For most discrete and batch plants, phased migration is the lower-risk default, which is why it is the usual recommendation for live sites in our legacy PLC migration guide.

A worked example: phasing an ageing line

The following sequence is illustrative. The numbers are typical engineering planning figures used to show how a phased upgrade is staged, not a result from any specific project. Consider an ageing packaging and filling line running a discontinued processor with mixed legacy I/O, a single ageing operator HMI, and a serial link to a packaged labeller.

Stage 0, discovery and design (allow 4 to 6 weeks). Complete the audit, confirm the I/O count, document the serial link to the labeller, recover or rebuild the P&ID and I/O lists, and fix the target platform and tag naming standard. Define the staging order from the risk assessment.

Stage 1, network and visualisation (no production outage). Stand up the new control network and a new SCADA or HMI alongside the existing system, reading from the legacy controller through a gateway. This delivers improved visibility and a historian early, proves the network, and gives operators time on the new interface before any controller changes. A typical allowance here is 3 to 5 days of on-site work spread across normal running.

Stage 2, controller migration on a planned shutdown (one weekend window). With the converted program already proven against simulated I/O in factory acceptance testing, swap the processor and migrate the I/O during a single planned outage. A wiring conversion approach keeps field re-termination short. Verify I/O point by point, run the site acceptance test, and sequence the restart deliberately to avoid pressure surges on transfer lines.

Stage 3, packaged equipment and data continuity (no production outage). Re-point the labeller interface to the new controller, confirm the historian and batch records are flowing into the new system, and decommission the legacy HMI once operators are confident on the new one.

The value of this shape is that the riskiest single event, the controller swap, is isolated to one short window, fully rehearsed, and surrounded by stages that carry no production outage at all. Each stage delivers standalone value, which also makes the spend easier to approve in increments.

Brownfield constraints, spares, and support continuity

A live site imposes constraints that a greenfield design never faces, and they shape the plan more than the technology choice does.

Shutdown windows. The available outage time is usually fixed by production, not by the project. Planning works backward from the window: what can be proven off-line beforehand, what must happen during the outage, and what can be completed afterward with the line running.

Documentation condition. The cleaner the input documentation, the faster and cheaper the upgrade. Current electrical drawings, PLC program backups with version history, I/O lists that match the field, and a written record of known faults are the ideal inputs. Sites that cannot provide these should budget time at the start of the project to recover them, because that recovery is real work that has to happen somewhere.

Spares through the transition. During a phased upgrade the site temporarily holds two platforms, so the spares plan has to cover the legacy hardware still in service and the new standard at the same time, with a defined retirement date for the old holdings. The longer-term aim is standardisation: when every line eventually runs the same controller family, I/O range, and drive platform, the shared spares pool shrinks and the depth of in-house knowledge grows. Standardising the platform is one of the clearest ongoing benefits of a planned upgrade, and it is worth letting it influence the platform choice from the start.

Support arrangements. Settle who holds the program backups, who can attend a breakdown, and what the recovery path is before the first cutover. Post-start support should be locked in before the outage begins, not arranged after a problem appears. Metromotion Controls provides this cover through ongoing support once a line is migrated.

Data and standards continuity

An upgrade that loses the plant's accumulated records or breaks its conventions creates a different kind of cost. Continuity has to be designed in.

On the data side, the items to carry forward are the historian record, batch and production reports, alarm history, and any traceability data the site is obliged to keep. A common and worthwhile pattern is to stand up the new historian early, as in Stage 1 of the worked example, so that a continuous record exists across the cutover rather than a gap. Tag naming and alarm philosophy should be standardised as part of the design, because a consistent tag standard is what lets later stages and future lines integrate cleanly. The principle of a structured, prioritised alarm system is set out in the widely used alarm management standard ISA-18.2 (ISA, standards), and an upgrade is the natural point to bring an older, flat alarm scheme into line with it.

On the standards side, the governing Australian and international standards have to be confirmed and applied to the relevant part of the scope. The electrical installation work follows AS/NZS 3000, the Wiring Rules, available through Standards Australia (Standards Australia). Any control panel built or modified during the upgrade falls under AS/NZS 61439 for low-voltage switchgear and controlgear assemblies, which is the relevant standard for the control panel engineering scope. Where the network is being rebuilt, an upgrade is also the right time to bring the OT network onto a current, segmented design rather than carrying forward a flat legacy topology.

Common mistakes to avoid

A few pitfalls recur often enough to be worth naming directly.

  • Scoping from the drawings instead of the field. Trusting as-built documentation that has not been verified on site is the most common root cause of overrun. The field almost always differs from the records.
  • Underestimating code conversion. An automated converter produces a faithful structural starting point, not a finished program. Analogue scaling, block-transfer handling, timing assumptions, and indirect addressing all need manual review before the converted code is trustworthy on a live line.
  • Treating the restart as an electrical event. Re-energising pumps, valves, and drives in the wrong order can cause pressure surges and water hammer that damage pipework and instruments. The restart sequence is engineering, not a step left to whoever is on shift, a point covered further in our note on pump control and water hammer.
  • Ignoring the packaged equipment. Third-party skids, labellers, and OEM units with their own controllers and serial links are routinely missed in discovery and then discovered during the outage. They belong in the audit and in the factory acceptance test scope.
  • No rollback per stage. A cutover without defined go/no-go gates and a written rollback at each one leaves the line able to reach an undefined state. Every stage should have a known position to return to and a clear point of no return once legacy hardware is removed.

The Australian context

Automation upgrades in Australia sit inside a clear regulatory and standards framework, and the relevant parts have to be confirmed during discovery rather than at the outage.

The safety of the work itself is governed by the model Work Health and Safety laws, administered nationally by Safe Work Australia and enacted by the state and territory regulators. Their guidance on managing the risks of plant covers isolation and energy control during maintenance and modification, including lockout and tagout of electrical, pneumatic, hydraulic, and stored energy before anyone works on the equipment (Safe Work Australia, managing the risks of plant). Energy isolation should be planned into the cutover sequence as a designed step.

The electrical scope is framed by AS/NZS 3000 for the installation work and AS/NZS 61439 for any switchboard or control panel work. Where the upgrade touches a safety function, the functional safety lifecycle under IEC 61508 and the process-sector standard IEC 61511 apply, and a modification is treated as a lifecycle activity in its own right. For acceptance testing, IEC 62381 provides a common industry framework for how factory acceptance, site acceptance, and site integration tests are structured and recorded (IEC 62381). Working to a recognised structure keeps the test scope, pass criteria, and sign-off consistent, which matters most when several parties share responsibility for a cutover.

For local manufacturers in sectors such as food and beverage and dairy, sector hygiene and traceability obligations sit on top of this framework, which is another reason data continuity through the upgrade has to be planned rather than reconciled afterward.

Bringing the plan together

A sound upgrade plan starts from a lifecycle assessment, is grounded in a real audit rather than the drawings, and is staged in an order that the risk assessment justifies. For most live Australian plants a phased cutover keeps production running while spreading both the risk and the capital spend, with the riskiest single event isolated to a short, well-rehearsed window. Spares, support, data, and standards continuity are design inputs from the start, not loose ends to tidy after handback. Planned with enough lead time, an upgrade keeps the shutdown window, and the risk, under the site's control rather than a failure's.

References

About the author

Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.

Common questions
How do we decide whether to upgrade now or wait another year?

The decision should come from a lifecycle assessment rather than a calendar. Map each control asset against its manufacturer lifecycle status (active, mature, end of life, discontinued), the realistic availability of spares, and the consequence of a failure on production. When a single card failure would become a sourcing exercise that takes the line down for days, the system has crossed from a maintenance concern into a planning trigger. Waiting is reasonable while spares are sound and the platform is still supported, but the value of planning early is that the site keeps control of the shutdown window instead of reacting to a fault.

What is the difference between a phased upgrade and a big-bang cutover?

A phased upgrade divides the plant into logical sections, usually by area, line, or system, and migrates one section at a time with its own design, factory acceptance test, and cutover. Production continues on the unaffected areas throughout. A big-bang cutover replaces the whole system in a single outage. Phased work lowers the risk per event and lets each stage benefit from what the previous stage taught the team, but it costs more in total engineering hours and needs interfaces that let old and new systems coexist during the transition. Big-bang suits tightly interlocked plants that cannot be split cleanly, or a site that already has a long planned shutdown such as an annual maintenance window.

How do brownfield constraints change an upgrade plan compared with a new build?

On a brownfield site the existing plant keeps producing, so the upgrade has to fit around live operation, real interlocks, and equipment that may not match the drawings. The constraints that shape the plan are the available shutdown windows, the condition and accuracy of existing field wiring and documentation, the need to keep unaffected areas running, and the interactions with packaged equipment and upstream or downstream lines. These constraints usually push the work toward a phased approach and make discovery the most important phase, because the cost overruns on brownfield projects almost always trace back to hidden complexity found during installation rather than during design.

How do we keep spares and support manageable through an upgrade?

Standardising the target platform across the plant is the single biggest lever on spares. When every line eventually runs the same controller family, I/O range, and drive platform, the shared spares pool shrinks and the depth of support knowledge grows. During a phased upgrade the site temporarily carries two platforms, so the spares plan has to cover both the legacy hardware still in service and the new standard, with a clear retirement date for the old holdings. Support arrangements, including who holds the program backups and who can attend a breakdown, should be settled before the first cutover rather than after.

How do we justify an automation upgrade to a board or budget holder?

Frame the case around risk and continuity rather than features. The strongest arguments are the cost and probability of an unplanned outage on obsolete hardware, the lead time and price volatility of grey-market spares, the operational risk of relying on one ageing programming PC and one person who knows the application, and any compliance or safety obligations the current system does not meet. Quantify the production value of the lines at risk and the realistic recovery time after a failure, then show how staging the work spreads the capital spend across budget periods. A phased plan with defined stages is usually easier to approve than a single large request, because each stage delivers standalone value and the spend is visible.

What standards and regulators apply to an automation upgrade in Australia?

The electrical installation work is governed by AS/NZS 3000, the Wiring Rules, and any control panels built or modified during the upgrade fall under AS/NZS 61439 for low-voltage switchgear and controlgear assemblies. The safety of the work itself, including isolation and lockout during the cutover, sits under the model Work Health and Safety framework administered by Safe Work Australia, supported by their guidance on managing the risks of plant. Where the upgrade touches safety functions, IEC 61508 and IEC 61511 set out the functional safety lifecycle. For acceptance testing, IEC 62381 provides a common framework for factory and site acceptance tests. Confirming which standards apply to which part of the scope is part of discovery, not something to settle on the day of the outage.

Share:LinkedInX
Related Pages

Connected automation guidance

Service

Automation upgrades and retrofits

Modernise legacy PLC, SCADA, HMI and control infrastructure with staged cutover planning.

Service

PLC programming Melbourne

PLC programming, troubleshooting, commissioning and legacy migration across Rockwell, Siemens and mixed sites.

Service

Automation support and maintenance

Engineering support for production faults, diagnostics, minor works and long-term controls reliability.

Industry

Food and beverage automation

Automation, traceability, CIP, SCADA and production data for Australian food and beverage plants.

Insight

Legacy PLC migration planning

Planning an upgrade without losing production on a live Australian manufacturing site.

Continue reading
Next step

Planning work in Engineering Guides?

Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.

Get a free scoping briefOr talk to an engineer
← All insights