There is no universal fixed cadence that fits every regulated plant. In practice, risk assessments and zone models should be maintained as living artifacts, with a minimum review cycle and clear triggers that require an update.
Baseline review cadence
Most regulated manufacturers adopt a tiered approach:
- High-criticality systems/zones (safety, product quality, batch release, regulated data, IP): review at least annually, with a documented management review.
- Medium/low-criticality zones: review every 2 to 3 years, provided no major changes or incidents have occurred.
- Enterprise or site-level risk posture: align with your broader risk management cycle, often annually or tied to internal audit cycles.
These are practical norms, not guarantees of adequacy. Actual frequency should be justified in your risk management procedure and supported by evidence (incident history, change volume, maturity of controls).
Event-driven triggers to update models
Regardless of your scheduled review, you should update risk assessments and zone models whenever any of the following occur:
- Changes to systems or architecture such as:
- New equipment, lines, or manufacturing cells added.
- Legacy systems decommissioned or replaced.
- Network segmentation changes, new firewalls, or new remote access mechanisms.
- Cloud or SaaS services introduced for production, quality, or maintenance data.
- Process or product changes that alter risk, such as:
- New product families or recipes with different safety or quality profiles.
- Changes to batch release paths, data flows, or decision authority.
- Automation changes that remove/add human checks or introduce new failure modes.
- Security or quality events including:
- Cyber incidents, malware infections, or suspected compromise of OT/IT systems.
- Major deviations, recalls, or systemic nonconformances tied to system or data issues.
- Supplier or third-party incidents that affect shared systems or data.
- External drivers such as:
- New or updated standards (e.g., IEC 62443 series), corporate policies, or regulatory expectations.
- Major organizational changes, outsourcing, or new integration partners.
In these cases, the question is not “when is the next annual review” but “can our current risk and zone model still be trusted for decisions.” If the answer is no, an update is due.
Depth of each update
Not every update needs to be a ground-up rebuild:
- Minor update: adjust a few assets, interfaces, or data flows and document the impact on risk ratings and controls.
- Targeted reassessment: focus on specific zones, systems, or threat scenarios affected by a change (for example, introducing remote vendor support).
- Full refresh: re-baseline the entire zone model and supporting risk assessment when the architecture or operating model has changed substantially over time.
Document the scope of each update so auditors and internal stakeholders can see what was reassessed and why.
Brownfield and lifecycle realities
In long-lifecycle, brownfield plants, fully redoing risk assessments and zone models every year is often unrealistic due to:
- Complex legacy stacks across MES, ERP, QMS, PLM, historians, and machine controls.
- Limited downtime to verify models against the live environment.
- Validation and qualification overhead whenever risk assessments drive changes to validated systems.
A practical approach is to prioritize:
- Zoning and risk models for GxP- or safety-critical paths (from sensor/PLC up to batch release, quality decisioning, and regulatory reporting).
- Interface-heavy nodes such as data hubs, integrations with cloud or enterprise IT, and remote access gateways.
- Zones with known technical debt or repeated deviations and incidents.
Rather than a full replacement of existing models, iterate: maintain the most critical views at higher fidelity, and improve lower-risk areas opportunistically during other change or upgrade projects.
Governance, traceability, and validation
Whatever frequency you choose, it needs to be backed by governance:
- Documented procedure defining review frequency, triggers, roles, and approval requirements.
- Change control integration so that plant changes cannot close without checking whether risk and zone models must be updated.
- Version control and traceability to show how changes in risk assessment or zoning led to specific technical or procedural controls.
- Validation impacts understood upfront where risk models feed validated configurations, test scripts, or system categorizations.
This avoids the common failure mode where zone models are created for a project or audit, then drift out of sync with the real plant and lose credibility.
Putting it together
A defensible practice in most regulated, mixed-technology environments is:
- Define high-/medium-/low-criticality zones and assets.
- Commit to at least annual review of high-criticality zones and 2 to 3 year review of others.
- Mandate event-driven updates on significant changes, incidents, or new regulatory expectations.
- Ensure all updates go through change control with clear versioning and impact analysis.
From a leadership standpoint, the key question is not just “how often” but “how quickly can we detect when our current risk and zone models are no longer accurate enough to rely on for safety, quality, and cybersecurity decisions.”
