Welcome to Communities.
"I have stood up a new kms and want to know if I can simply ADD the new kms to the key mgmt, establish the trust and then change the KMS cluster in vsan services??
Is this safe?
Will the system continue to run on?"
What you are suggesting is a shallow-rekey using the new KMS - this requires the old KMS to be available and thus unfortunately this probably won't be possible:
What I would advise is to NOT reboot any hosts (as you may end up with more disks locked), take full/current back-ups of what is available and restore this data to a new cluster (or the same cluster after wiping it down and configuring a new KMS).
If this is a production cluster then I would advise contacting GSS vSAN to determine whether there is anything else we can do to assist from our side. You might have some VMs whose namespace Objects are Inaccessible but whose vmdk Objects are still available and other stuff like VMs that are marked as Invalid/Inaccessible but are only missing something relatively minor like a boot device.