Change jobs scheduled to redundant services (active/passive or active/active) should be scheduled in such a way to preserve availability.
Ideally end users should be able to denote that these services should follow a round-robin schedule (1 node at a time) with a post-maintenance validation step (e.g. OM availability/performance metrics normal) before service begins on the next node.
Inherent modeling and handling of clusters would also vastly simplify the interaction with users for emergency change actions (e.g. critical vulnerability fixes) which currently require manual verification and scheduling of the next node for service.