Scope, hardware selection and code conversion are settled before the window. Execution is about proving the system through FAT and SAT, verifying I/O point by point, and following a sequenced runbook with defined decision gates.
A phased cutover across maintenance windows keeps each rollback small and realistic. A hot or full-swing cutover compresses the outage but demands far higher pre-cutover testing and a hard point of no return.
Every cutover needs a defined state and a defined time for each decision gate, and a documented way back at each one. Without them, the team improvises reversion decisions under pressure when production is waiting.
A PLC migration is usually discussed as a planning problem: when to start, how to scope the outage, which controller to standardise on, how to convert the legacy code. That work matters, and it is covered in our companion guides on automation upgrade planning and legacy PLC migration. This guide is about the other half, the execution. The cutover is the moment the planning is tested against a live plant, and it is the highest-risk window in the whole project.
The distinction matters because the failure modes are different. Planning failures are errors of judgement: the wrong controller, an underestimated scope, a missed interlock. Cutover failures are errors of preparation and discipline: a cable assumed to be labelled correctly, a procedure that was never rehearsed, a go/no-go decision that was never defined before the window opened. This guide deals with the second category.
Most cutover failures are not caused by bad code or wrong hardware. They are caused by preparation gaps and undisciplined execution. The code conversion and hardware selection were the planning phase. The cutover is about proving what was built and following the runbook.
For delivery context, this is the work that sits across automation upgrades, commissioning, and PLC, SCADA and HMI programming.
A cutover is electrical work, plant work and software commissioning at the same time, so several standards apply at once. Naming them by number keeps the test scope, the safety scope and the sign-off consistent when more than one party shares responsibility for the window.
Confirming which standards apply, and to which part of the scope, is part of discovery rather than something to settle on the day of the outage. By the time the window opens, the team should know which clauses govern the panel work, the field wiring and the safety functions, and who signs each off.
The first execution decision is the shape of the changeover. Three approaches sit on a spectrum from lowest to highest risk inside the window.
Phased (staged) cutover. The migration is broken into sections, by equipment area, by production line, or by I/O group, and each section has its own outage window. Risk is distributed across multiple smaller events, and the rollback at each stage is small and realistic. The cost is total project duration and the need to manage the interface between the old and new systems while both are live. For most brownfield migrations on Australian food and beverage sites, this is the lowest-risk approach when the equipment architecture allows the plant to be split cleanly.
Hot (full-swing) cutover. The legacy system is decommissioned and the new system is commissioned in a single window. This gives the shortest total outage and avoids any old-to-new interface, but it carries the highest risk because there is little time to recover inside the window. A hot cutover is only defensible when the process cannot be partially migrated cleanly and when the pre-cutover testing has been thorough enough that the live window holds few surprises.
Parallel (shadow) run. The new system runs alongside the legacy system before cutover, with process values compared to build confidence. This is practical for SCADA and historian replacements, where reading the same data twice is harmless. It is difficult for PLC control because two controllers cannot both drive the same outputs at once, so a true parallel run on the control layer is rarely possible. Where it is, it is usually limited to read-only monitoring against shared inputs.
The decision is driven by how much of the plant can be isolated, the production schedule, and the confidence level from testing.
| Factor | Points toward phased | Points toward hot |
|---|---|---|
| Plant architecture | Lines or areas can be isolated cleanly | Process is tightly coupled, cannot be split |
| Available windows | Several short maintenance windows exist | Only one long shutdown is available |
| Interlock complexity | Cross-line interlocks are manageable | Interlocks make partial running unsafe |
| Rollback tolerance | A small reversion must always be possible | A hard point of no return is acceptable |
| Testing maturity | Standard FAT and SAT confidence | Exhaustive FAT, rehearsed, high confidence |
A phased cutover should be the default unless a specific reason rules it out. The judgement is about which approach keeps the rollback realistic for the risk the site can carry, and it benefits from reading the line as a process rather than only as I/O, which is where systems integration and process knowledge pay off.
The cutover window is not the place to discover whether the system works. That confidence is built through a staged acceptance sequence so that problems are found against simulation and test rigs rather than against product.
Factory Acceptance Test (FAT). The converted program is exercised against simulated I/O before anything ships to site. Sequences, interlocks, alarms and edge cases are driven through a simulator so the bulk of the logic is proven off the critical path. The FAT is where analogue scaling, block-transfer handling and timing assumptions from a code conversion get shaken out, because a converter gives a faithful structural translation but not a finished program.
Site Acceptance Test (SAT). Once the system is installed, it is checked against real hardware. I/O is verified point by point, field devices respond as expected, and the wiring conversion is confirmed before the line is handed back. The SAT is where site records meet reality, and it is consistently where undocumented links and mislabelled cables appear.
System integration testing. The line is then tested where it meets upstream and downstream equipment, packaged units and higher-level systems, so interlocks and handshakes across boundaries are confirmed under realistic conditions.
A cutover rehearsal sits alongside this sequence. Where the FAT proves the logic and the SAT proves the installation, a rehearsal proves the procedure: it is a practice run of the actual cutover steps, ideally on the real site, to expose timing issues, tool gaps and coordination problems before the live window. Rehearsing the runbook is the single best predictor of a calm execution.
I/O verification is usually the longest task inside the window and the one most exposed to bad site records. Every point has to be confirmed end to end, not assumed from a drawing.
For digital points, that means forcing or operating each input and output and confirming the state from the field device through to the controller tag and the HMI or SCADA display. For analogue points, it means injecting known values at the field end and confirming the engineering-unit reading at the controller, which is where scaling errors carried through a code conversion surface. The verification record should reference the loop sheet and be signed as each loop passes.
Two practices keep this on schedule. First, verify cable labels against the new panel drawings before the window, not during it, because a mismatch found at 2am costs far more than the same mismatch found a week earlier. Second, where a wiring conversion system is used, such as swing-arm modules and pre-wired conversion cables that land existing field wiring onto the new I/O, the point-to-point checking reduces to the conversion interface rather than every field device, which shortens verification considerably. The field wiring still has to be sound, and any hand-modified or undocumented connection found in discovery must be resolved before the conversion hardware can be trusted.
Consider a single packaging line being migrated from a legacy controller to a current platform over a planned weekend shutdown. The numbers below are illustrative and chosen to show the shape of a runbook with rollback points, not a real Metromotion Controls or named-client result. A typical sequence might run as follows, with the clock starting at isolation as T+0.
The value of the runbook is that each gate compares a required state against the clock, and each gate has a documented way back until the point of no return. Logging actual completion times against the plan is what makes the go/no-go decisions evidence-based rather than improvised.
Every cutover needs defined moments where the team assesses whether to continue or revert, and those moments must be defined in advance. Each gate states what state the new system must be in, and by what time, for the cutover to proceed rather than revert. Without that, the team makes go/no-go judgements under pressure, at 3am, with production management waiting, which is not where good decisions happen.
Rollback is the other half of the same discipline. A rollback plan states, for each gate, what it takes to restore the previous state and how long that reversion itself needs, so the decision can be made against the remaining window rather than in hope. It also names the point of no return explicitly. Up to that boundary the reverse is cheap; past it, reversion means re-installing the legacy system, and the calculus changes. A clear point of no return on the runbook keeps the team honest about when the easy reverse has passed.
These are the recurring failures that turn a manageable cutover into an extended outage.
On Australian food and beverage and dairy sites, cutover windows are constrained by tightly scheduled production and by the cost of lost batches, which is why the phased approach across planned maintenance windows is so common. The same constraint makes pre-cutover testing worth the investment: the more the system is proven through FAT and SAT, the shorter and calmer the live window.
The compliance scope is not optional. The safety of the work itself is governed by Safe Work Australia guidance on energy isolation, and energy isolation should be planned into the cutover sequence rather than treated as a site formality. The electrical scope is framed by AS/NZS 3000 for the installation work and AS/NZS 61439 where the cutover touches or rebuilds control panels, work that sits within control panel engineering. Where a cutover touches safety functions, IEC 61511 and IEC 61508 require that the verified safety integrity level is preserved through the change and validated as part of acceptance, which is the discipline covered in our note on functional safety and SIL assessment. Confirming the standards scope during discovery, and naming who signs off each part, keeps a multi-party cutover coherent under shutdown pressure.
A PLC cutover is a manageable event when it is treated as a procedure rather than an improvisation. The pre-cutover testing, FAT and SAT, I/O verification, rehearsal and rollback planning, is what makes the execution reliable. The shape of the cutover, phased or hot, should match how much of the plant can be isolated and how much rollback the site needs to keep available. The time to discover gaps is before the window, not inside it. With a written runbook, defined go/no-go gates, a documented rollback at each one and a clear point of no return, the highest-risk window in a migration becomes a controlled, evidence-based execution.
Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.
A PLC cutover is the transition from an existing control system to a new one on a live plant. It involves taking the old system offline, commissioning the new hardware and software, verifying I/O, and returning the plant to production within a defined outage window. The cutover is the execution phase of a PLC migration, distinct from the planning and scoping work that comes before it.
A phased cutover breaks the changeover into sections by line, area or I/O group, each with its own outage window and its own rollback. A hot or full-swing cutover moves the whole system in a single window. The phased approach distributes risk and keeps each rollback realistic, but extends the total project duration and requires managing the interface between old and new systems during the transition. The hot approach minimises total outage but demands the highest level of pre-cutover testing because there is little time to recover inside the window.
A Factory Acceptance Test (FAT) verifies that the new system performs correctly against simulated I/O in a controlled environment, usually at the integrator's workshop or panel shop, before anything ships to site. A Site Acceptance Test (SAT) verifies the installed system against real hardware: I/O is checked point by point, field devices respond as expected, and wiring is confirmed. IEC 62381 sets out a common framework for structuring and recording both. FAT proves the logic off the critical path; SAT proves the installation.
Typical PLC cutovers on Australian food and beverage sites run from one shift to a full weekend, depending on the I/O count, process complexity, the wiring conversion approach, and how thoroughly the system was tested beforehand. A single line with a clean FAT and a swing-arm wiring conversion can often be cut over in one planned shutdown. Larger or tightly interlocked plants are usually staged across several windows.
I/O verification is where the new system meets the real plant for the first time, and it is where site records most often turn out to be wrong. Every digital and analogue point has to be forced or driven and confirmed end to end, from field device to controller tag to HMI. Mislabelled cables, undocumented links and analogue scaling errors all surface here. Building generous time buffers around I/O checks, and verifying cable labels before the window, is what keeps the cutover on schedule.
A rollback plan defines, for each decision gate, what state must be reached by what time for the cutover to proceed, what it takes to restore the previous state, and how long that reversion itself needs. It also names a clear point of no return, usually the moment legacy hardware is removed, after which reverting is no longer cheap. The plan lets the team decide against the remaining window rather than in hope, and it should be written and reviewed before the window opens.
Modernise legacy PLC, SCADA, HMI and control infrastructure with staged cutover planning.
Commissioning engineers, FAT, SAT, loop checks, startup support and control system audits.
PLC programming, troubleshooting, commissioning and legacy migration across Rockwell, Siemens and mixed sites.
Planning an upgrade without losing production on a live Australian manufacturing site.
Obsolescence and lifecycle assessment, risk, phased versus big-bang cutover and how to stage a modernisation on a live plant.
A practical engineering guide to planning an automation upgrade on a live Australian plant: obsolescence and lifecycle assessment, risk ranking, phased versus big-bang cutover, brownfield constraints, spares, and standards continuity.
Key point
Lifecycle assessment sets the timing, not the failure
Published 9 May 2026
How to plan a legacy PLC migration on a live Australian plant without losing production: when to start, how to scope the outage window, and how to stage the cutover.
Key point
Plan before support risk becomes urgent
Published 9 Apr 2026
A practitioner guide to scoping industrial automation for Melbourne and Victorian manufacturers: the PLC, SCADA, panel and network scope, greenfield versus brownfield upgrades, IEC 61131-3 languages, and how to choose a control systems integrator.
Key point
Scope from the operating constraint
Published 8 Apr 2026
Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.