Brownfield PLC upgrade. What Australian plants need to know.

What "brownfield" actually means in industrial automation.

Brownfield is the polite word for a plant that already exists, already runs, and cannot stop. Most automation work in Australia is brownfield by this definition. Greenfield builds are the exception, not the rule. The discipline is different. The constraints are different. The first job is to understand what's there before changing anything.

In the controls world specifically, brownfield means a working stack you cannot pause to redesign. A PLC programmed in 2009. An HMI panel that nobody remembers reflashing. A SCADA database with twenty thousand tags, half of them undocumented and three of them load-bearing. Field instrumentation wired to a layout drawing that no longer matches the panel. All of it produces something every shift. The line is paid for the day, not the year.

Greenfield is the opposite. Empty foundation, blank P&ID, no operators with muscle memory. The engineer chooses the platform, the cable run, the operator screen, the alarm philosophy. The freedoms are real. They are also rare. Most automation work happening in Australia in 2026 is brownfield, including most of Pac Technologies' programming work. The plants that built themselves new in the 1990s and 2000s are now twenty to thirty years old, and the easy upgrade window passed when the original engineer retired.

This guide is about working with what is there. Documenting it. Risking changes against it. Sequencing the changeover. Choosing what to replace, what to retrofit, and what to leave alone for another five years. None of those decisions look the same on a brownfield site as they do on a slide deck.

Why the brownfield upgrade conversation is louder in 2026.

Australian plants running Siemens S7-300 controllers face three concurrent deadlines converging in 2025–2027: S7-300 power supply modules entered phase-out from October 2023, the SOCI CIRMP cyber framework became mandatory for in-scope sites in August 2024, and AS IEC 62443 was adopted as the national OT cybersecurity standard in July 2025.

The hardware is still running. The vendor relationship and the regulatory clock are where the pressure is — and for many plants, the spare on the shelf is the last one available at any price.

Hardware end-of-life is the most concrete pressure.

The clearest signal in 2026 is from Siemens. The S7-300 entered active phase-out for the most common power-supply modules in October 2023 and October 2025, with spare parts committed only until 2033 (Siemens IOS 109809890). The S7-400 is still officially in active production with availability quoted "beyond 2030," but Siemens does not publish a future discontinuation date until the EOL process formally begins, meaning the next product information letter is the only warning the market will get. Plants running the older 300 series have a planning window of about seven years. Plants running 400s have an unknown window that could close at any time.

Underneath both is a quieter problem. The HMI panels and engineering workstations that drive the PLC layer are often Windows boxes from before the controls team owned IT decisions. We still walk into plants where the SCADA node is running Windows XP (extended support ended April 2014) or Windows 7 (extended support ended January 2020). The boxes are functional. They are also unpatched, unsupported, and in 2026 they are the single softest target on the OT network.

The SCADA and PLC software vendors are also moving.

Rockwell renamed RSLogix 5000 to Studio 5000 at the v20-to-v21 jump, and the version sprawl in plants that have been adding controllers since 2010 is real. We have audited PlantPAx sites with three different Logix Designer major versions in use across the same line. AVEVA finished consolidating the Wonderware product family under its own brand after Schneider Electric's 2018 merger, and the licensing model changes have been significant enough that many existing customers are running cost comparisons against Inductive Automation Ignition for the first time. Citect customers on older 7.x versions are facing the same conversation.

None of that forces an upgrade on its own. Combined with a plant manager's quarterly OEE figure that no one trusts and an MES request the existing SCADA cannot serve, the case for spending starts to write itself.

Cyber and traceability obligations now sit downstream of automation choices.

Australia adopted the AS IEC 62443 series as the national standard for OT cybersecurity in July 2025, via Standards Australia's IT-006 committee (Industrial Cyber, July 2025). The standard does not directly mandate spend; it sets the technical baseline that the SOCI Act's Critical Infrastructure Risk Management Program increasingly references. CIRMP cyber framework obligations for in-scope entities came into force on 17 August 2024, with the inaugural board-approved annual report due 28 September 2024 (CISC). Food and grocery is one of the eleven sectors covered.

What that means on a brownfield site is concrete. The flat plant-network where the PLCs and the office printers share a switch is no longer audit-acceptable. Network segmentation between the corporate IT side and the plant-floor OT side, asset inventories that hold up under inspection, and secure remote access that does not depend on a vendor VPN configured a decade ago. Each is now a scope item on the upgrade, not a nice-to-have for next quarter.

Three pressures. One window. The plants that move planned spend less than the plants that move panicked.

Risk assessment: what actually goes wrong.

The failure modes in brownfield projects repeat. The plants that survive them documented what was actually there before changing it, and had a written fallback for every change before they made it.

The engineer who knew the line has left.

Tribal logic (undocumented PLC code that does something obviously sensible but for reasons only one person ever understood) is the single most common source of brownfield project surprise. The original engineer wrote the workaround at 2 a.m. during a commissioning weekend in 2011, never wrote it down, and left the company in 2018. The mitigation is not "find the engineer." It is to extract and read every PLC routine before any modification, and treat any block of code that looks redundant or pointless as load-bearing until proven otherwise. It usually isn't redundant. It usually stops the filler from overshooting when the upstream conveyor jams.

Field wiring does not match the drawings.

The wiring diagram on the wall shows the panel as it was commissioned. What is actually in the panel reflects every maintenance call since. New cable colours where the original stock ran out. A relocated terminal because the original location burned out. A jumper added to bypass a fault that turned out to be a sensor problem. A walkdown (a physical signal-by-signal verification with the panel open and a multimeter) is the only way to find these. Budget two to four days of an instrument tech's time per panel. The cost of skipping is usually a wiring fault discovered at FAT.

Tag namespaces collide on migration.

The legacy PLC has tags named in a convention the original engineer made up. The new platform has its own conventions or, worse, restrictions on character length and reserved words. Migrating without remapping is how you get a SCADA showing live data from the wrong tag. The fix is dull: a tag-by-tag mapping spreadsheet, signed off before any logic is migrated, with the legacy and new names side by side. Boring spreadsheets prevent the kind of cutover problem that gets discussed in the boardroom.

The most recent backup does not actually exist.

The standard assumption is that the running PLC code is in a safe-deposit box somewhere. The reality, on every second brownfield site we walk into, is that the most recent backup is the upload taken during commissioning seven years ago and has not been updated through any of the modifications since. If the live controller dies during cutover, that backup will restore an obsolete and broken version of the logic. Take a fresh upload of every PLC in scope, verified by checksum, before any work starts. Plus the alarm setpoints, recipe blocks, and HMI configurations that live in their own files.

There are no commissioning spares on the shelf.

A brownfield upgrade frequently turns up parts that are obsolete in their original form and have no clean equivalent in the new platform. CPU modules with discontinued memory cards. Power supplies with discontinued bus connectors. A spare card on the shelf saves a week of expediting at the worst possible moment. We carry a small bench inventory of S7-300 spares specifically because the platform's EOL window is open right now. Plants relying on a vendor for next-day delivery in 2026 are increasingly disappointed.

The operators were not part of the planning.

A new HMI is a new operator interface. The buttons move. The colours change. The alarm tones are different. A site that retrained operators in the week before cutover is a site that lost productivity in the month after. Build operator training into the project plan, preferably as a series of shop-floor sessions during FAT rather than a single lecture the week before go-live. The site engineer who delivers the upgrade is not the right person to deliver the training. The most experienced operator on the line usually is.

Document the existing system before touching it.

Every successful brownfield project starts with the same uncomfortable step: someone going through the existing PLC code, IO list, and P&ID drawings until they match reality, not the as-built-from-five-years-ago story. The temptation to skip this is enormous. The cost of skipping it is larger.

The artefact most teams under-budget is the discovery pack itself. A reasonable rule of thumb on brownfield work is that documentation and walkdown sit between 10% and 20% of total project effort. Skip it and you pay back twice over in surprise during commissioning. The minimum discovery scope is consistent across sectors:

• PLC code, extracted and labelled. Not just a backup. The actual project files, version-controlled, with dead code and copy-pasted blocks flagged. The point is to be able to read it, not just to have it.
• IO list reconciled with a physical walkdown. Two to four days per panel with a multimeter, signal by signal, until the spreadsheet matches what is in the cabinet.
• Alarm list with response procedures. Every active alarm, what triggers it, what the operator should do, who gets called if the operator cannot fix it.
• HMI screen inventory. Page-by-page screenshots, each control element labelled to the underlying tag. This is the single best document for the operator-retraining conversation later.
• SCADA tag database export. Format-converted into something both teams can read. Stale tags identified and quarantined, not deleted, until cutover.
• Operator-facing modes and recipes. Every named mode the line can run in. Every recipe in active use. Every recipe that was active two years ago and might still be referenced.
• Network topology. Switches, ports, VLANs, the rogue cable someone added to get a vibration sensor working in 2019. AS IEC 62443 segmentation work cannot start until this exists.
• Spare parts inventory. What is on the shelf, what is on the maintenance team's wishlist, and what the integrator should expect to source.
• Maintenance log, last 24 months. The patterns of recurring faults tell you which parts of the line will need the most attention in the new platform.

The output of this stage is the document that the FAT scope and the cutover plan both reference. If it is incomplete, both downstream documents inherit the gaps. Plants that hand the integrator a thin discovery pack on day one are quietly transferring the discovery cost into the integration cost, at a worse hourly rate.

Cutover planning: the actual changeover.

The cutover is the moment the new system replaces the old. Done well, it is uneventful; done badly, it loses a production week. The plants that minimise downtime have planned the cutover in detail months in advance, including the moment they will pull the plug and revert if something goes wrong.

Three cutover models are in regular use on brownfield sites, and the right choice is usually obvious once the line constraints are mapped.

Big-bang weekend cutover.

The old system goes off Friday evening. The new system goes live Monday morning. Everything in between is migration, FAT-style testing, and the rollback rehearsal nobody hopes to need. This model suits lines that can absorb a planned weekend shutdown without breaking the supply chain: sortation cells, end-of-line packers, single-product runs. It demands a rehearsed team, a strong fallback plan, and a written rollback trigger. Pac Technologies has delivered weekend cutovers on sortation lines where the alternative was a four-week phased migration with two unscheduled go-backs. The weekend approach won on total downtime by a factor of three.

Parallel run with phased migration.

The new and old systems run side by side. Each subsystem switches over when the engineering team and the operations team agree it is comfortable. Integration cost is higher because you build twice. Risk on any single switchover is lower because the fallback is the system already running next to it. This is the right model for complex multi-line plants where a single weekend cannot contain the cutover and where the cost of an unplanned production day exceeds the cost of the parallel build.

Module-by-module replacement.

Replace one PLC, one cell, one line at a time, over months or quarters. The slowest model and the lowest single-day risk. It suits plants that cannot afford even a planned weekend shutdown: continuous-process operations, sites with regulatory uptime obligations, plants where the upgrade is a strategic investment rather than a response to an immediate failure. The drawback is calendar drag and the temptation to leave the last 20% incomplete because the line is "good enough."

What to have in writing before cutover.

The cutover documents that pay back the most are not the ones the integrator builds for themselves. They are the ones operations relies on at 02:00 on the cutover Saturday. The minimum:

• Rollback trigger criteria. The specific test failures that revert the cutover, written as a yes/no checklist, signed off in advance by both sides.
• Comms tree. Names and phone numbers. Who calls whom at what time. Who has authority to call rollback.
• Test scripts. Green-light checks for each subsystem, with expected results, in operator language.
• Operator coverage roster. Who is on the line during cutover, who reviews each shift, who runs the post-cutover stabilisation week.

The cutover that goes well is the boring one. Engineers should be the people writing the rehearsal scripts, not the people watching the line light up at 06:00 on Monday and waiting for the first surprise.

Retrofit or full replacement: when each is right.

The cheaper option on paper (retrofit the PLC into the existing panel, keep the field wiring, keep the operator desks) is not always the cheaper option in practice. The cost is in adapter modules, integration hours, and the limitations the old layout imposes on the new system for the next ten years.

Four criteria settle the question for most brownfield sites:

• Age and condition of the panels. Panel doors that still seal, terminals that still take a screwdriver without crumbling, cable insulation that has not gone brittle. These are the prerequisites for any retrofit. Once you are past the point where a sparkie will write up the cabinet as an electrical risk, the conversation is full replacement.
• Free space in the panel. An S7-1500 is physically larger than the S7-300 it replaces. ControlLogix L8 is similar to an L7 in footprint, but the IO module pitch has changed. A retrofit that requires removing a fifth of the existing IO to fit the new CPU is not a saving; it is a partial replacement that bills like a retrofit.
• Network topology you can reuse. If the existing field network (Profibus, DeviceNet, ControlNet) terminates cleanly at the controller, you can swap the CPU and keep the network. If the new platform requires Profinet or EtherNet/IP throughout, you are running new cable, and the retrofit advantage evaporates.
• IO expansion needs over the next decade. If the existing panel is full and the line is going to add another vision system or another washdown zone within five years, the retrofit puts you back in front of the same conversation in 36 months.

Retrofit wins on a clean single-line plant with current panels and no IO expansion plan. Full replacement wins on a multi-line site where the existing panels have a decade of patch work, the IO is at 90% utilisation, and the next five years of OEE and traceability work demand a different network philosophy than the one the original integrator chose.

The honest summary: a retrofit that buys five more years is a good decision. A retrofit that buys two more years and prevents the proper replacement that would have lasted fifteen is the most expensive saving you can make.

Standards and safety implications during upgrade.

A brownfield upgrade is the cheapest opportunity to bring an old line up to current safety and electrical standards. It is also the easiest moment to leave compliance gaps in place because "the existing system was grandfathered." Both decisions have consequences.

Four standards bind the work, and each has a brownfield-specific consideration that does not arise on greenfield.

AS/NZS 3000 electrical compliance.

The wiring rules apply to the entire panel as installed, not just the new components. A retrofit that adds a CPU into a panel where the existing earthing was never certified is a fresh non-compliance, not an inherited one. The walkdown for §04 should flag any cabinet conditions that the electrical contractor needs to bring up before the new equipment energises.

AS 4024 machine safety and ISO 13849 performance levels.

A meaningful modification to the line is the trigger for a fresh risk assessment under AS 4024. New PLC, new safety logic, new emergency-stop wiring. Any of those is enough to invalidate the existing assessment. The cheap way through this is to fold the safety review into the discovery phase rather than waiting until the FAT. The expensive way is to discover during commissioning that the existing guarding does not meet the assessed performance level required for the new sequence.

IEC 61508 / 61511 functional safety.

If the line has SIL-rated functions (typical in process industries and any application with a high-consequence failure mode), the safety integrity level must be revalidated after a controller swap. The validation paper-trail is not optional. A separate article on SIL determination in Australia covers the detail.

AS IEC 62443 OT cybersecurity.

Australia adopted the AS IEC 62443 series in July 2025. For brownfield upgrades on critical-infrastructure sites (which now includes most food and grocery operations under SOCI), the cyber baseline applies from the day the new equipment is connected. Network segmentation between the corporate IT side and the plant-floor OT side is no longer an architectural preference. Asset inventories, secure remote access patterns, and incident logging are scope items in the upgrade, not nice-to-haves the integrator can promise to revisit next quarter. Consultancy engagements that scope the cyber side before the controls scope is set land cleaner.

Choosing an integrator for brownfield work.

Brownfield is harder than greenfield. The integrator that does it well asks different questions, costs the project differently, and structures the engagement around discovering what's there before committing to a delivery date. The signals are easy to spot if you know what you're looking for.

Ten questions worth asking any prospective brownfield integrator before the engagement begins:

1. How does your discovery phase work, and what is in the output document? A real answer covers the walkdown, the PLC code extraction, the tag inventory, and the timeline. A vague answer ("we have a standard methodology") is the warning sign.
2. How do you cost unknown-unknowns? Fixed-price brownfield bids that ignore discovery findings either pad enormously or fail at commissioning. Look for time-and-materials on discovery, fixed-price on the defined scope that follows.
3. What is your cutover model for our line, and why? The integrator should have an opinion on big-bang versus parallel versus phased, based on what they have seen of your line. If they don't, they haven't thought about it yet.
4. What is the written rollback trigger? The cutover plan should have a yes/no checklist of conditions under which the change reverts. If they cannot describe it in one sentence, the plan does not exist.
5. Who is on site during cutover and for how long? Named engineers. Defined stabilisation window. An integrator that bills extra for the first week after go-live is selling commissioning insurance separately.
6. Have you delivered on this exact platform combination before? "Yes, we know S7-1500" is not the same as "yes, we have migrated an S7-300 to S7-1500 with the existing Wonderware front end intact." Brownfield is a platform-pair problem, not a platform problem.
7. Whose coding standard will the new logic use? Yours, theirs, or the platform vendor's reference. Signed off in writing before development. The plant inherits the code; the plant should be able to read it.
8. What is in the handover pack? Source code, drawings, tag database, alarm list, runbooks, login credentials, network diagrams, operator training material. Everything needed to run the plant without the integrator.
9. Will the engineers who scope this be the ones delivering it? Bait-and-switch between the scoping team and the delivery team is the single most consistent pattern in brownfield project disappointment.
10. Reference customer we can call in our state? A phone number, not a testimonial. Bonus marks if the reference is a brownfield project that went wrong and the integrator stuck around to fix it.

Pac Technologies has been doing brownfield-by-default automation in Australia since 2003. Most of our project work has been on running plants with deferred upgrades and undocumented prior work. If the questions above are useful, the conversation is worth having. If they are not, the integrator who cannot answer them comfortably is the answer to the next question.

Common questions.

Sources and further reading.

Every dated claim in this guide is anchored to a verified source, retrieved on 17 May 2026.

• Siemens Industry Online Support. Product phase-out of S7-300 / ET 200M components, document 109809890. Retrieved 17 May 2026. Siemens IOS 109809890
• Industrial Cyber. Australia adopts AS IEC 62443 as national cybersecurity standard for critical infrastructure, July 2025. Retrieved 17 May 2026. industrialcyber.co
• Cyber and Infrastructure Security Centre. Security of Critical Infrastructure Act 2018 and CIRMP guidance. Retrieved 17 May 2026. cisc.gov.au
• PwC Australia. The Evolution of SOCI and November 2024 amendments. Retrieved 17 May 2026. pwc.com.au