Updating ASM Attack Signatures is generally considered extremely low impact, enough so that automatic updates are actually recommended, even in a prod environment:
https://support.f5.com/csp/article/K8217
You will have sufficient time to analyze any possible false positives as new signatures are placed into staging.
However major updates to a policy should have their impact fully understood before committing. If a full dev environment is not available at least a dev VS with a test policy may be the best option.
When it comes to full OS upgrades though this will always result in at least a brief outage. Best practices with an HA pair is to upgrade the standby unit of the pair first and failover to it once it becomes available again. Upgrade the previously active unit and then fail back to test. This way you have only two very quick failover events and you are effectively testing both units in the pair.
The question is fairly wide though. One should always adhere to their company change policies and fully understand impact before any change is made.