When the HSM is in normal operation:
1. The tamper detection mechanism must be active. This is set at the factory and cannot be disabled by the user.
2. The motion sensor must be enabled.
3. The temperature sensor must be enabled.
4. The HSM's diagnostic tests must be run on a regular basis. These tests exercise the unit's cryptographic functions as well as the general operational correctness of the device.
5. The unit must be periodically inspected for signs of tampering (see section “Periodic Inspection Procedure”). Procedures should be in place to withdraw a unit from service and destroy its key material if tampering is evident or suspected.
6. Any problems must be reported so that corrective action can be taken.
7. Any failed product must be replaced or repaired in a timely manner.
8. A secondary unit should be available and ready for use in case the first unit becomes inoperable for any reason.
9. In the event of failure of the primary unit, a means of quickly switching operation to the secondary device should be available at all times. An automated load-balancing mechanism may be useful for this purpose.
10. At least two authorised individuals must control the initialisation of the product.